HIPAA Handbooks

  • Privacy and security training for new and seasoned staff
  • 11 staff/setting focus areas
  • Education on protecting PHI
  • New HITECH Act changes
  • Discounts on bulk purchases



  • Role-based training using real-life case scenarios
  • Test-your-knowledge exercises with remediation
  • Post-course test to document staff participation


Other HIPAA Resources

  • Hot-topic audio conferences
  • Books on privacy and security
  • Newsletters
  • e-Newsletter
  • Videos



Survey postcard leads to HIPAA breach in Maryland

Email This Post Print This Post


A vendor working with the Maryland Developmental Disabilities Administration (DDA) was recently caught in a HIPAA breach after failing to securely mail postcards to recipients of DDA services, according to a press release from the Maryland Department of Health and Mental Hygiene.

The DDA hired Inclusion Research Institute and its subcontractor M. Davis and Company to mail its annual quality-of-life survey to individuals who receive DDA services. M. Davis and Company mailed survey reminder postcards to approximately 2,200 individuals in February. The postcards indicated that DDA selected the recipients to take the survey because they received services from the department.

The healthcare services an individual receives is considered PHI. The postcards were not enclosed in envelopes, thereby disclosing to anyone who viewed them that the intended recipients received services from DDA. Therefore, this constitutes as a HIPAA breach, and the vendor is taking steps to notify affected individuals, according to the press release.


  1. Hernan Serrano says:


    Should I assume the breach in this case is caused by the cards being viewed by the Post Office personnel? They are the “unauthorized” individuals?


  2. Jaclyn Fitzgerald says:

    Hi, Hernan,

    I think the issue is that there is a chance the patients’ PHI was compromised because it was exposed to anyone who could have possibly viewed the postcards. USPS employees would be the people most likely to view the information on the cards. However, there’s always potential that someone else could have viewed it if the postcards were mailed or delivered to the wrong address or if the intended recipient no longer lived at the address where the postcard was delivered. I think there’s quite a few possibilities outside of the USPS employees.

    Since the Omnibus Rule eliminated the harm threshold, I think many organizations consider PHI to meet the definition of “compromised” if it is possible that the PHI was viewed by an unauthorized party by fault of the CE or BA.

  3. We are a medical equipment company. We send customer satisfaction survey postcards in the mail as well. While the only PHI is name and address, it is apparent that they received some type of service or equipment from us. Is this stating that this is a HIPAA breach?

  4. Jaclyn Fitzgerald says:

    Hi, Melissa,

    The Maryland Department of Health and Mental Hygiene and its vendor are treating this as a HIPAA breach. The department’s website doesn’t go into great detail about the specific wording on the postcards, but does say that it was clear the recipients received services from the Maryland Developmental Disabilities Administration. It’s possible that these postcards contained some specific information.

  5. Ronda Hogan says:

    This leads to the question; when a caller searching for information asks if you have records for a patient, is it ok to verify that a Patient has been seen at your facility? Some facilities do confirm a yes or no if the caller provides a date of birth. And some facilities will not divulge anything. Of course this is only that records are or are not available. Nothing else. From an ROI standpoint, you don’t want to release anything without the proper paperwork.

  6. Jaclyn Fitzgerald says:

    I’m not sure, Ronda, but this is a great question. I’ll pass it along to one of our HIPAA experts.

Leave a Reply