The Colorado Department of Health Care Policy and Financing has, accidentally, disclosed protected health information on patients and is in breach of HIPAA regulations following a recent mailshot. The breach has now been publicly revealed and the patients affected have been notified.
The HIPAA breach was due to a survey being sent to almost 15,000 patients, each of whom had received medical treatment through Medicaid or the Office of Behavioral Health belonging to the Department of Human Services. The HIPAA violation was not in relation to social security numbers and addresses being listed in the mailshot or any other information which could possibly be used by thieves or fraudsters.
The HIPAA violation was for using a postcard for the mailshot rather than a sealed envelope to send the survey. By using a postcard the name and the address of the recipient was clearly visible, while the survey identified them as being patient of the organization. The survey contained questions about the behavioral health care services they had received and someone other than the intended recipient would been able to read the information with ease. Accidentally releasing protected health information is a clear breach of the Health Insurance Portability and Accountability Act, 1996 (HIPAA).
The survey was carried out by Health Services Advisory Group, Inc. (HSAG) and Thoroughbred Research Group (Thoroughbred) with the Department as sponsor. The survey was sent out on July 30 and September 3, 2014.
The HIPAA violation was discovered after a complaint was submitted on September 9, 2014. Department of Health Care Policy and Financing Executive Director, Susan E. Birch, has since remarked that “The Department and our contractors are working together to improve procedures to ensure this does not happen again.” She also assures patients that the Department treats the privacy of protected health information with the utmost importance.Procedures have now been put in place to ensure future HIPAA compliance and future surveys will be distributed in full compliance with HIPAA data security rules.