Colorado Behavioral Health Reports HIPAA Violation in a Mailed Survey

The Colorado Department of Health Care Policy and Financing has reported a HIPAA violation in a mailed survey that was sent to behavioral health patients.

The department was a sponsor of a survey being conducted jointly by the Thoroughbred Research Group and the Health Services Advisory Group, Inc. (HSAG). Between the dates of July 30, 2014 and September 3, 2014, the survey was mailed to approximately 15,000 behavioral health patients.

However, it soon became clear that there was a HIPAA violation in a mailed survey when patients started calling to complain. Detailed on those postcards was the fact that the recipients had been receiving behavioral health services.

The postcards had the name and address of the patient clearly displayed – as would be expected on a mailing – but it was the combination of personal identifiers and Protected Health Information that constituted a HIPAA violation.

In this case, the HIPAA violation in a mailed survey would have been avoided if the survey had been sent in a sealed envelope rather than having PHI printed on a postcard. The survey asked a series of questions about the treatment and services that the patient had received from the behavioral health department and those questions were clearly visible on the postcard.

Under the Health Insurance Portability and Accountability Act, all covered entities are forbidden from disclosing Protected Health Information to unauthorized individuals without first de-identifying the data. It must not be possible for PHI to be tied to an individual. In this case it is not clear what effect this incident has had on the victims, but conceivably the information could cause embarrassment to the people concerned, and may even result in physical losses or prejudice being suffered.

Susan E. Birch, Executive Director of the Department of Health Care Policy and Financing, issued a statement about the HIPAA Violation in a mailed survey, saying: “The Department and our contractors are working together to improve procedures to ensure this does not happen again.” She took the opportunity to confirm that the department takes the privacy of patients and the security of data very seriously.

The incident highlights the need for great care to be taken with patient correspondences, especially when using the services of a Business Associate that may not be totally familiar with HIPAA rules and regulations. HIPAA Rules covering privacy and security must be very clearly communicated to all Business Associates and this must also be written in a Business Associate Agreement. It is imperative that healthcare data is protected at all times and the BA is made aware of the responsibilities they have to ensure data is not inadvertently disclosed.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of