Patient campaign releases about 700 patient email addresses

Register now

Information on 700 patients was inadvertently released by Rutland Regional Medical Center as a result of an email campaign.

The hospital emailed a survey to discharged patients as part of an effort to improve discharge processes. However, each email included all 700 patient email addresses clearly visible.

That could be considered a breach of protected health information, but a hospital spokesperson speaking with the Free Press reporter declined to say whether the hospital considers the incident to be a breach under HIPAA rules. The spokesperson did not respond to a request from Health Data Management for comment.

To Rebecca Herold, CEO at the Privacy Professor consultancy, the incident is HIPAA-reportable. “Email addresses are PHI items on their own,” she says. “There do not need to be other types of PHI items involved.”

As such, email addresses must be protected against disclosure to anyone who does not need to see them to support treatment, payment or business operations, she advises.

Also See: Agency updates privacy rule for substance use disorder records

“Did all the patients sign some type of general consent that said they agree to allow the hospital to share their email addresses with all other patients of the hospital? While this is possible, it is highly unlikely,” she says.

That said, under the Federal Trade Commission Act in Section 5, there may be a case that Rutland’s email problem would not be considered a breach. That could happen if the addresses were collected separately in a campaign or situation “where these are not all patients, but instead email addresses that were provided just because the associated individuals wanted to receive information from the hospital not related to their treatment, payment and business operations,” she explains.

However, if a hospital posts a privacy notice promising that information collected from those visiting the site would not be shared with others, but actually shares it, that could be a FTC violation, Herold adds.

“Generally, without those highly improbable situations being in place, this would be a breach as defined under HIPAA that is reportable to the Department of Health and Human Services as well as to the individuals associated with the email addresses and could additionally be a violation of the FTC Act, Section 5,” she adds.

For reprint and licensing requests for this article, click here.