Reminder Postcards for Satisfaction Survey Result in HIPAA Privacy Rule Violation

On May 2, 2014, the Maryland Department of Health and Mental Hygiene issued a press release regarding a HIPAA Privacy Rule violation by a subcontractor of the Developmental Disabilities Administration (DDA). Specifically, the DDA contracts with vendor Inclusion Research Institute who subcontracts with M. Davis and Company to conduct quality of life surveys for individuals receiving DDA services. In February 2014, M. Davis and Company mailed postcards to approximately 2200 individuals to remind them to complete and return a satisfaction survey. The postcards, which were addressed to the individuals, were not enclosed in envelopes. Further, the postcard indicated that the individuals were receiving the notification because they had received services from DDA, the fact of which is protected health information. The DDA was notified of the breach on March 3, 2014 and contacted the vendor. The press release indicates that the vendor is in the process of notifying affected individuals and plans to correct this issue in future mailings.

This situation should prompt providers to look at their use of postcard mailings and consider compliance with the HIPAA Privacy Rule. The Privacy Rule permits providers to communicate with patients regarding their health care, whether by mail or by phone. A frequently asked question posted on the Department of Health and Human Services website explains that while this type of communication is permissible, covered entities and business associates should make efforts to limit the amount of information disclosed. In cases where a patient has requested that the covered entity communicate with him in a confidential manner, the covered entity is expected to accommodate reasonable requests. For example, a patient who requests to receive appointment reminders in an enclosed envelope rather than on a postcard should be accommodated. Covered entities and business associates who utilize postcard reminders are advised to ensure that sensitive information is not included.

Speak Your Mind