Tag Archives: CVS/Caremark

HIPAA: Healthcare mailers violate privacy rights of people living with HIV

HEAL Blog is the recipient of the ADAP Advocacy Association’s 2015-2016 ADAP Social Media Campaign of the Year Award
By: Marcus J. Hopkins, Blogger

It came to light, last week, that Aetna – one of the largest health insurers in the U.S. – inadvertently revealed the HIV status of up to 12,000 clients by way of a mailer sent on July 28th, 2017 containing information about their options when they filled prescriptions for HIV medications. The notice was sent in the traditional envelopes sent by businesses, with the clear plastic window through which the letters “HIV” were clearly visible. The letters went out to people who are currently taking medications to treat HIV, as well as those taking Pre-Exposure Prophylaxis (PrEP), a regimen used to prevent the transmission of HIV (Kennedy, 2017).

Aetna mailer showing privacy violations.

In a similar incident, Ohio’s AIDS Drug Assistance Program (OhDAP), along with CVS/Caremark, sent out a similar mailer to roughly 4,000 clients containing their new “Insurance” cards, along with the full names, addresses, and the letters HIV above their names. In addition to that, the card provided inside the mailer contained ID numbers that included the clients’ date of birth, which creates the potential for identity theft (Hamilton, 2017).

Eddie Hamilton, who leads the ADAP Educational Initiative, was one of the victims of the privacy violations executed by OhDAP and CVS/Caremark. He provided a copy of the mailer to the HEAL Blog.

CVS/Caremark mailer showing privacy violations.

Both of these instances are a violation of Health Insurance Portability and Accountability Act (HIPAA), specifically Title II’s Privacy Rule, which regulates the use and disclosure of Protected Health Information (PHI), which prevents any information related to health status, provision of health care, or payment of healthcare that can be linked to an individual from being disclosed without the patient’s direct consent. These provisions were put in place in no small part because sensitive information, such as one’s HIV status, is something that can be used against individuals to deny access to certain benefits and jobs (which is also illegal under the Americans with Disabilities Act, or ADA), and/or have this information get into the hands of those who will use the patient’s HIV status against them in either a private or public manner.

What is most galling about these disclosures is that they were easily avoidable. While it is common business practice to use envelopes with clear windows in an effort to save a few cents per piece of mail, the relative savings compared to printing the address on a sticker and applying it to the outside of the envelope pale in comparison to the potentially high dollar amount in fines for each HIPAA violation, which can range from $100 to $50,000 per violation. And all to save a few centers per mailer.

Aetna, in response to their error, sent out a second letter informing customers of the privacy breach, and in a statement blamed an unnamed vendor for their failure to protect patients’ private health information. The letter was sent to customers in Arizona, California, Georgia, Illinois, New Jersey, New York, Ohio, Pennsylvania, and Washington, D.C. (O’Donnell, 2017). Attorneys for the Legal Action Center and the AIDS Law Project of Pennsylvania sent Aetna a demand letter that included a cease and desist order, as well as calling on Aetna to develop a plan of action to ensure that these types of incidents do not occur in the future (Legal Action Center, 2017).

Neither OhDAP, nor CVS/Caremark have made public statements regarding the disclosure of 4,000 clients’ HIV status. Additionally, the clients in question are those who rely solely upon ADAP funds to procure their medications, a program designed to help those who fall within a certain percentage of the Federal Poverty Limit (FPL) afford medications they might not otherwise be able to access. This means that these clients are less likely to have access to legal aid to help them redress the breach of their confidential PHI, and are less likely to know the appropriate steps to take in order to file HIPAA violation complaints with the Department of Health and Human Services (DHHS) Office for Civil Rights (OCR) or other state authorities.

One of the reasons why HIPAA is so vital for patients living with HIV is that it is their decision to disclose their HIV status, rather than that of healthcare workers, insurers, or any related businesses and partners. While certain areas of the U.S. tend to be more openly accepting about HIV status, other areas may be less than accommodating. Having one’s status revealed to family members, roommates, or friends without permission can have social repercussions, particularly in more religious areas of the country. It is difficult to overstate the severity of these breaches of confidentiality and privacy.

Beyond that, it is unclear whether the current administration’s OCR is going to take any actions against any of the offending parties, in which case patients and clients will have to resort to private or class-action suits against these organizations in order to properly address the situation. Normally, the OCR accepts settlements from offending parties, involving a lump sum payment and no admission of guilt (which is already assumed with the companies reveal that they’ve disclosed this information). HEAL Blog will continue to monitor these issues to see if any resolutions are met.



Disclaimer: HEAL Blogs do not necessarily reflect the views of the Community Access National Network (CANN), but rather they provide a neutral platform whereby the author serves to promote open, honest discussion about Hepatitis-related issues and updates. Please note that the content of some of the HEAL Blogs might be graphic due to the nature of the issues being addressed in it.


Leave a comment

Filed under Uncategorized