Colorado Behavioral Health Patients Advised of HIPAA Breach
A recent postcard mailing by the Colorado Department of Health Care Policy and Financing has, albeit accidentally, disclosed protected health information on patients and is in breach of HIPAA regulations. The breach has now been made public and the patients concerned have been notified by mail.
The HIPAA breach was due to a survey being mailed to approximately 15,000 patients, each of whom had received treatment through Medicaid or the Office of Behavioral Health belonging to the Department of Human Services. The HIPAA violation was not due to social security numbers and addresses being listed in the communication or any other information which could potentially be used by thieves or fraudsters.
The HIPAA violation was for using a postcard rather than a sealed envelope for the survey. By using a postcard the name and the address of the recipient was clearly visible, while the survey identified them as being behavioral services patients. The survey contained questions about the behavioral health care services they had received and someone other than the intended recipient could easily have read the information. Accidental disclosure of protected health information is in clear breach of the Health Insurance Portability and Accountability Act, 1996 (HIPAA).
The survey was conducted by Health Services Advisory Group, Inc. (HSAG) and Thoroughbred Research Group (Thoroughbred) with the Department as sponsor. The survey was mailed on July 30 and September 3, 2014.
The HIPAA violation was discovered after a complaint was received on September 9, 2014. Department of Health Care Policy and Financing Executive Director, Susan E. Birch, has since stated that “The Department and our contractors are working together to improve procedures to ensure this does not happen again.” She also assures patients that the Department takes the privacy of protected health information very seriously.
Procedures have now been implemented to ensure future HIPAA compliance and future surveys will be distributed in full accordance with HIPAA data security rules.