Mailing Mistake HIPAA Violaton Sees EmblemHealth Fined $575k

by Ryan Coyne | Mar 12, 2018

A $575,000 settlement with the New York Attorney General has been agreed by by EmblemHealth following a 2016 mailing error that saw the Health Insurance Claim Numbers of 81,122 clients printed on the outside of envelopes.

New York Attorney General Eric T. Schneiderman announced the settlement and state that the Health Insurance Portability and Accountability Act (HIPAA) requires HIPAA covered entities to formulate administrative, physical, and security measures to ensure the confidentiality of patients’ and plan members’ private health data.

A unique patient identifier is printed on the envelopes in all mailings, in this particular instance the potential for harm was considerable as Health Insurance Claim numbers include the Social Security numbers of clients.

EmblemHealth did not adhere with “many standards and procedural specifications” that are obligatory under HIPAA regulations. Attorney General Schneiderman also revealed that having Social Security numbers visible on the outside of envelopes breach New York General Business Law § 399-ddd(2)(e).

EmblemHealth is required to adopt a robust corrective action plan that requires a comprehensive risk analysis to be conducted related to the mailing of policy documents, along with the $575,000 settlement, The Attorney General’s office must be made aware of the outcome of that risk analysis review within six months. Policies and procedures that involve mailings must also be constantly reviewed and refreshed based on the official outcomes of the risk analysis.

EmblemHealth must list, audit and monitor mailings and make sure that all members of staff involved in mailings receive the proper training. They must also be trained on reporting any violations of the HIPAA Minimum Necessary Standard to EmblemHealth officials to allow fast remedial action to be taken manage risks to individuals. EmblemHealth must also report all security incidents to the Attorney General’s office for a period of three years from the settlement date.

New York State Attorney General Schneiderman stated “weak and outdated security laws” which he has attempted to address by introducing the ‘Stop Hacks and Improve Electronic Data Security (SHIELD) Act’ in November 2017.

There will now be another attempt to get the SHIELD Act passed. Schneiderman says that the SHIELD Act will improve security for state residents. Companies will also be responsible for data breaches that lead to customers’ personal data being exposed.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

COMPREHENSIVE HIPAA TRAINING

Used in 1000+ Healthcare Organizations and 100+ Universities

Ryan Coyne

Ryan Coyne is a results-driven leader in the healthcare compliance industry, specializing in regulatory compliance, compliance training, and assisting healthcare organizations and business associates in achieving and maintaining compliance. With a deep knowledge of healthcare regulations and a keen understanding of the challenges faced by the industry, Ryan has developed a reputation as a trusted advisor and advocate for ethical and compliant practices in healthcare. Ryan has successfully advised and guided numerous healthcare organizations, business associates, and healthcare professionals on achieving and maintaining compliance with regulatory training requirements. Ryan's professional focus is using his in-depth expertise and leading a world class team of subject matter experts at ComplianceJunction in regulatory compliance to help organisations navigate the complex landscape of ensuring staff adhere to healthcare regulations. You can connect with Ryan via LinkedIn and follow on Twitter