What’s in Your Envelope? HIPAA Wants to Know

By Margaret Scavotto, JD
Director of Compliance Services
Management Performance Associates

This summer, Aetna made headlines when it used a contractor to send a mailing to 12,000 members. The mailing involved letters sent in windowed envelopes typical of mass business mailings. For some patients, the following language, revealing the members’ HIV status, was visible through the envelope window: “The purpose of this letter is to advise you of the options…Aetna health plan when filling prescriptions for HIV Medic…members can use a retail pharmacy or a mail order pharma….”

This breach of sensitive patient information had health care providers scratching their heads: We didn’t think about this as a risk. How can we possibly anticipate every possible HIPAA breach?

Four months later, we see another HIPAA gaffe involving – yes – a mass mailing. This time, the breach involved a not-for-profit community health plan that provides care and coverage to Medicaid patients with chronic health conditions – like HIV.

The health plan mailed flyers to HIV patients, promoting an HIV research project. The mailroom was careful to assemble the mailing so that no PHI was visible through the envelope window. But, the language “Your HIV detecta” could potentially be seen through the paper envelope.

What’s a provider to do?

Providers are already scrambling to keep up with skyrocketing cyber threats to their ePHI. These two envelope breaches are reminders that HIPAA risks are everywhere, and a HIPAA Privacy Officer’s job never ends. How do we prevent breaches that seem so hard to anticipate?

  • Remember that paper still counts. Yes, healthcare is the #1 target of cyber-attacks. But paper breaches are still very common, and need our attention, too.
  • Use your security risk analysis. Make an ePHI inventory.Then, expand it to include paper and verbal PHI. Include all ways PHI is stored, used, disclosed, and accessed. This should cast a wide net, and capture paper mailings.
  • Use a team approach. When it comes to identifying risks in a diverse and evolving field, more heads are better than one. Talk to your Compliance Committee regularly about HIPAA. Constantly ask people what they are working on, so you can identify HIPAA risks where others may have overlooked them.
  • Keep an eye on your neighbors. These two envelope examples are a cautionary tale for other providers. Watch the headlines and OCR settlements and guidance. Find out how other providers experienced breaches, and do everything you can to prevent them in your own organization.

[clickToTweet tweet=”What’s in Your Envelope? HIPAA Wants to Know” quote=”What’s in Your Envelope? HIPAA Wants to Know” theme=”style3″]


  1. Another thing I have often though about – I work for a community mental health center. I wonder if we should be sending things to client with envelopes marked with our logo on it. Doesn’t that tell someone who sees that envelope that a person at that address possibly has a relationship with that entity? Should we use plain envelopes with just a return address and not name of center or logo on it? I often ponder that thought and I’ve been asked to look into it, but there is no information that I can find at all regarding that subject. What are your thoughts?

  2. Denise,
    You raised an excellent example of a scenario without a clear answer under HIPAA. Does the fact that an individual is receiving treatment from your organization constitute PHI (is it information that relates to “the provision of health care to an individual” and does it identify the individual)? See 45 CFR 160.103.

    I have not seen black-and-white guidance from OCR on this topic, and suggest consulting your health care attorney for guidance and an answer.

    I do think you have raised a question with significance, whether we are talking about HIPAA or not: What’s the best thing for your patients? How would you want to receive mail from your organization? Regardless of what HIPAA and your attorneys say, erring on the side of privacy might afford a courtesy that your organization – and your patients- would value.

Comments are closed.