HIPAA Breach Suffered by Colorado Behavioral Health Patients

by | Oct 15, 2014

The Colorado Department of Health Care Policy and Financing has, accidentally, disclosed protected health information on patients and is in breach of HIPAA regulations following a recent mailshot. The breach has now been publicly revealed and the patients affected have been notified.

The HIPAA breach was due to a survey being sent to almost 15,000 patients, each of whom had received medical treatment through Medicaid or the Office of Behavioral Health belonging to the Department of Human Services. The HIPAA violation was not in relation to social security numbers and addresses being listed in the mailshot or any other information which could possibly be used by thieves or fraudsters.

The HIPAA violation was for using a postcard for the mailshot rather than a sealed envelope to send the survey. By using a postcard the name and the address of the recipient was clearly visible, while the survey identified them as being patient of the organization. The survey contained questions about the behavioral health care services they had received and someone other than the intended recipient would been able to read the information with ease. Accidentally releasing protected health information is a clear breach of the Health Insurance Portability and Accountability Act, 1996 (HIPAA).

The survey was carried out by Health Services Advisory Group, Inc. (HSAG) and Thoroughbred Research Group (Thoroughbred) with the Department as sponsor. The survey was sent out on July 30 and September 3, 2014.

The HIPAA violation was discovered after a complaint was submitted on September 9, 2014. Department of Health Care Policy and Financing Executive Director, Susan E. Birch, has since remarked that “The Department and our contractors are working together to improve procedures to ensure this does not happen again.” She also assures patients that the Department treats the privacy of protected health information with the utmost importance.Procedures have now been put in place to ensure future HIPAA compliance and future surveys will be distributed in full compliance with HIPAA data security rules.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy