Margaret Corley uses AdvancePCS to obtain prescriptions via mail order. When all goes well, it's an efficient method. But every so often, something runs amok.

Corley -- she and her husband moved from Fairfax to Greenfield, Ind., late last year -- said a dispute last month about reimbursement for one of his drugs led the Advance office in Birmingham, Ala., to return a prescription to her so she could send it to another part of the company. An Rx did arrive in the mail, but it was not the one she expected.

"Enclosed were two prescriptions for a man in Mississippi, along with his Advance form he had signed. This preprinted form stated his name, address, phone number, Social Security number, account number and all of his medications," Corley said. Only after another call to Advance did Corley receive her husband's paperwork.

Corley's experience came a month before new regulations took effect to protect the privacy of medical records. These federal rules -- implementing the Health Insurance Portability and Accountability Act (HIPAA) -- curtail the disclosure of health information and allow people to file complaints with the Department of Health and Human Services (HHS) if they believe their records have been shared improperly.

Advance, based in Irving, Tex., said its privacy standards would not permit it to discuss particulars of the Corley case. On Friday, Corley said Advance officials had attributed the error to a staff person who "had entered one wrong digit" on a computerized mailing system.

A statement from the company noted that it handled 40 million mailed-in claims last year and continued, "In the extremely rare event that an error does occur at AdvancePCS, we work diligently until the problem is resolved to the member's satisfaction."

Rare it may be, but Corley said this was not the first time she received a stranger's records. "The same thing had happened two, three, four years ago," she said, and she simply forwarded the documents to the other patient.

"When this happened again" with her husband's prescription, she said, she asked herself, "Who knows whether they sent his pages to some other person?"

An incident like Corley's "undermines the kind of trust that people need to have" in the entities that handle medical data, said Janlori Goldman, director of the nonprofit Health Privacy Project, based in Washington (www.healthprivacy.org).

While the mix-up was due more likely to "sloppiness and lack of care" than to malice, Goldman said, HIPAA will "hopefully bring a major change" so that providers routinely ask, "Are we sending the right information to the right person?"

-- Tom Graham

The System welcomes comments from patients, providers, insurers and others about the delivery of health care. While we cannot advocate on behalf of individuals, we are looking for examples of problems and solutions that may direct our reporting. Contact us by U.S. Mail or by e-mail at thesystem@washpost.com. Do not send original documents.