PHI Used for Market Research without Consent


Recently, the MS Center of Saint Louis and Mercy Clinic Neurology Town and County have announced that they have breached HIPAA regulations. Over one-thousand patients of the are being informed that they may be contacted for marketing and research purposes by pharmaceutical companies and other third-parties, even though they may not have given their permission for their details to be given to such organisations for marketing reasons.

According to HIPAA Rules, patients much not be contacted for marketing or research purposes unless consent for their information to be used in such a manner has been obtained by the organisation holding their data first. However, an error has resulted in patients of the MS Center and Mercy Clinic Neurology Town and Country’s information being disclosed to third parties and patients may be contacted by telephone, mail or email as a result. They have not announced the cause of the error.

The MS Center and Mercy Clinic Neurology Town and Country report that medication onboarding forms were accidentally provided to pharmaceutical companies. The forms had not been signed by patients, and therefore the sharing of information was deemed consensual and in violation of HIPAA. The error also means patients protected health information has been impermissibly disclosed.

Protected health information detailed on the forms includes names, email addresses, telephone numbers, home addresses, health insurance information, and in some cases, treatment and prescription information and Social Security numbers. No financial information was shared.

Due to the sensitive nature of the information disclosed, there is a possibility that the information could be used inappropriately and the patients may be victims of identity theft. However, the MS Center and Mercy Clinic Neurology Town and Country deem the risk of fraud is low, and state that the information has not been used for any other purpose other than marketing and research. However, out of an abundance of caution, all affected individuals have been given the opportunity to register for 12 months of credit monitoring and identity theft protection services without charge.

Upon discovery of the error, an internal investigation was launched and staff potentially involved were interviewed about the incident. Policies and procedures have now been changed to prevent similar incidents from occurring in the future. In accordance with HIPAA Breach Notification Rules, all the affected patients have been made aware of the breach. As more than 500 patients were affected, OCR has also been notified.