If I had one EOB sent to the wrong patient with the information you described, I would talk to the wrong patient and obtain an attestation form. If the wrong patient was cooperative, etc. I would categorize it as an impermissible disclosure, no breach, as I wouldn't think there was more than a low risk that the information contained in the EOB could compromise the patient. So times that by >500 and I would be pretty busy for a while! However, if I could not talk to the patient, obtain an attestation form, or if the wrong patient was uncooperative, I would deem it a breach.
Frank, yes, if I talk to the wrong patient and he/she is cooperative and signs an attestation, I believe that would help mitigate the risk to the PHI.
Great discussion agree impermissible disclosure and breach reporting needed.
Kathy Wehmer-Brown R.N.
The Women's Hospital