Health Information Compliance Alert

Published on Mon Nov 17, 2014 PDF

Question: Our provider group would like to send out postcards to our patients. The postcards would contain a link to an online quality-of-care survey. Should we worry about any HIPAA implications?

Answer: Yes, there are HIPAA privacy risks involved in mailing out postcards to your patients. Even though the postcards might contain only the patients’ names and addresses, along with the link to the online survey, you’re still exposing their protected health information (PHI) — and risking a HIPAA privacy breach.

In fact, a recent case illustrates this point:

The Colorado Department of Health Care Policy & Financing unintentionally disclosed the PHI of about 15,000 individuals receiving behavioral health services through Medicaid or the Department of Human Services’ Office of Behavioral Health, according to an Oct. 10 Department announcement. The disclosure occurred when the Department mailed survey postcards to these individuals.

Problem: The postcards were not mailed in envelopes and therefore could be read by someone other than the addressee, the Department said. Although the postcards did not contain individuals’ Social Security numbers or any other information used for identity theft, they did include the addressee’s address and first and last name, as well as the Department’s logo and a request to provide feedback regarding the addressee’s behavioral healthcare services. 

Disclosing that the addressee receives behavioral healthcare services is a violation of HIPAA. The Department notified affected individuals of the breach after receiving a complaint on Sept. 9.