A sometimes surprising fact is that just a name of a person can be protected health information under the Health Insurance Portability and Accountability Act (HIPAA).
This is because protected health information can be just the fact that someone received services at a medical provider or health plan. For example, I have an appointment on Monday with my Dentist. HIPAA does not require that the information include the type of services I need or the medical condition I have in order to be protected. In fact, the data may be protected even without the name. For example, an address list of people who received services would also fall under protected health information just as would a list of name(s).
Customer lists for providers are essentially a list of individuals who use medical services at their facility and should be protected information. Protections include all of the privacy requirements and if the data is held electronically, all of the physical, administrative, and technical requirements for the data as well.
Entities should be mindful of this fact and especially when they send out mass mailings as postcard reminders. A subcontractor for the Maryland's Developmental Disability Administration (DDA) recently learned this lesson. In early 2014, the subcontractor mailed postcards to approximately 2200 individuals to remind them to fill out the satisfaction survey for the DDA. The postcard was not enclosed in an envelope and therefore the name of the person receiving DDA services was publicly viewable. The DDA was made aware of this and contacted the vendor promptly who is in process of notifying the affected individuals and updating their policies for this deficiency.
HIPAA can be complex, and sometimes the data is still covered even without a name or other medical information. If you need assistance understanding HIPAA or have questions with where it applies, please contact Kinney & Larson LLP.