A Spokane laboratory has notified 2,000 clients at three Washington hospitals – including Sacred Heart Medical Center – that private information about their medical tests was inadvertently mailed to the wrong addresses.
Officials from Pathology Associates Medical Laboratories confirmed Wednesday that a glitch in a computer program sent statements to the wrong addresses of clients billed through Providence Health and Services hospitals in Everett, Centralia and Spokane.
The group included about 150 clients billed through Sacred Heart Medical Center, said Chuck Hawley, vice president of public affairs for Providence, which also operates PAML.
The statements revealed the names of clients, the types of tests performed and the costs for the procedures, but no other personal information.
“It didn’t include test results, Social Security numbers, insurance numbers or other identifying information,” Hawley said.
The error was discovered late last week and corrected the same day, he added. Letters dated July 31 explaining the situation were mailed Monday.
“SHMC takes this incident very seriously,” the letter said. “We are notifying you of this event so that you are aware that your name and test information may have been seen by another person.”
The disclosures are a violation of federal medical privacy requirements of HIPAA, the Health Insurance Portability and Accountability Act.
The federal law requires health agencies to disclose the errors in a log that can be accessed by clients. Violators could face civil penalties – up to $100 per incident, or a total of $25,000 a year – or criminal penalties.
But Hawley said Providence officials wanted to make sure that clients wouldn’t worry that their medical records had been compromised.
“We’re not approaching it from a compliance standpoint,” he said Wednesday. “We’re approaching this from the standpoint of ‘What do our patients need to know?’ ”
In addition, Dr. Tom Tiffany, president of PAML, issued an apology to all affected clients.
More than 4 million laboratory tests were ordered for PAML clients throughout the Northwest last year. The lab performs billing services for 22 agencies and mails more than 1.4 million statements annually, officials said.
Clients who are concerned that the computer error violated their privacy rights can file a complaint with the federal Office for Civil Rights. From April 2003, when HIPAA took effect, through the end of June, the office had received nearly 28,400 complaints. Recently, that has included some 600 to 700 complaints a month, according to the agency’s Web site.
Records of complaints for individual health care providers are not available, said Michael Robinson, a spokesman for the federal office.
In four years, no hospital, laboratory or other agency has been punished for violating rules aimed at protecting medical privacy.
“We have not levied any civil penalties,” Robinson said.
Subscribe to the Morning Review newsletter
Get the day’s top headlines delivered to your inbox every morning by subscribing to our newsletter.