Q&A: Receiving postcards with appointment information

Q: Is it a HIPAA violation to receive a postcard from a facility regarding your mammogram, date, time, and instructions?

A: Covered entities (CE) can send appointment reminders to patients using a postcard as long as the CE sending the reminder is not a specialty practice, such as a mental health practitioner, because that will reveal the condition of the patient if an unauthorized individual reads the post card.

It may be a breach of unsecure PHI if the postcard includes diagnosis and treatment information. The postcard reminder of an upcoming mammogram should only have included the healthcare provider’s name and the date and time of the appointment. It should not have indicated that the purpose of the appointment was for a mammogram.

Editor’s note: Chris Apgar, CISSP, is president of Apgar & Associates, LLC, in Portland, Oregon. He is also a BOH editorial advisory board member. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions. Opinions expressed are those of the author and do not represent HCPro or ACDIS. Email your HIPAA questions to Associate Editor Heidi Samuelson at hsamuelson@hcpro.com.