The healthcare sector may be moving into the digital age, but is still a long way from a paperless industry: 77% of Medical Group Management Association members report that they still send paper bills. For example, all kinds of medical documents, from bills through to medical reports, make their way to patients through the US Postal Service every day. How can healthcare companies ensure that it is sent securely and reaches the right person and avoid a data breach?
The Health Insurance Portability and Accountability Act (HIPAA) includes a Privacy Rule, which prohibits the unauthorized disclosure of protected health information in any format, including paper. Its Breach Notification Rule may also require covered entities to notify regulators if they disclose paper records in error. Violations can get expensive for healthcare organizations. Depending on the level of coverage negligence, they could pay up to $50,000 per file with a maximum penalty of $1.5 million per year.
In 2017, Triple-S Advantage, a Blue Cross Blue Shield licensee in Puerto Rico, sent notifications including personal health information to over 36,000 patients using the wrong addresses – a massive healthcare data breach. The letters included patients’ names, health plan identification numbers, date of service and treatment codes. The insurance breach was not the organization’s first, and it had been fined millions of dollars for similar incidents in the past.
Aside from the financial blowback, there are health care reputation issues to consider. When healthcare organizations violate their patients’ trust, it can be difficult to earn back – and the investigation can be damaging enough. In 2015, the Department of Veterans Affairs sent veteran Anthony McCann 250 pages of personal health information intended for someone else. He explained that it was the latest of several similar errors and refused to give it back, publicly questioning the organization’s competence and overall health.
Avoiding mistakes with the mail
How can healthcare organizations prevent postal privacy mishaps, minimize risk, and protect patient information? Health insurance companies must build a secure workflow that protects privacy from the point of production until the letter reaches the consumer’s care. To manage that, insurance companies need a diligent governance framework that stewards the flow of sensitive paper-based information through the organization and beyond.
When assessing security breaches, a privacy impact assessment is an excellent place to start. By investigating the kinds of personal health information that a healthcare provider is carrying and the privacy implications of disclosing it, executives can better assess the risks associated with it, and therefore how to protect from data breaches appropriately.
Based on that impact assessment, healthcare providers can create policies for handling information. HIPAA’s Security Rule requires all covered entities and business associates to have a written security plan for protecting personal health information which should include administrative, physical and technical safeguards.
This plan should cover the creation, storage, transfer and disposal of protected healthcare data in many contexts. Having specific parts of this policy to deal with paper-based information will help an organization to prevent headline-grabbing errors. The plan might cover questions such as what kinds of information can be sent by mail, and the procedures to follow when compiling, printing and sending it. It could also cover the protective measures that paper-based information should have en route. For example, more sensitive data might require a tamper-proof envelope.
Unless healthcare companies communicate these policies, they will be little more than shelf-ware. Training employees to follow coverage plans if there is a healthcare data compromise is a critical part of the puzzle. So is enforcement, and this is where technology solutions can help.
The software used to prepare the data for healthcare communications and to print notifications must be configured and managed rigorously, or it becomes a vector for failure. An example of failure is Cincinnati-based TriHealth, which emailed billing statements to 1126 patients at their former addresses between November 2015 and January 2017. Executives blamed it on a ‘software glitch’ – but it was a medical data breach.
Testing software thoroughly and ensuring that it is always updated will help to avoid such incidents. The software should include password protection and identity management that provides least-privilege access to employees. By only giving them access to the functions they need, administrators can prevent inadvertent mistakes by unqualified personnel.
The software should maintain an audit trail of activities, logging what employees do in the system. The log extends to printing documents that the company mails to patients.
An audit trail will enable healthcare providers to check back and ensure that employees are following the appropriate procedures for generating documents with sensitive information. It also makes it easier for a privacy officer to enforce those policies. They can check and manage those records to spot any red flags.
Security inside the organization and beyond
Protection for healthcare mailers shouldn’t stop when paper leaves the healthcare company’s offices. Mail handling processes always involve third-party service providers. Presorting partners that bundle mail for carrier routes or ZIP codes are a good example.
Vet these partners to ensure that they will handle your mail securely and avoid a data breach. They should be able to demonstrate strong physical security both at the facilities that presort the mail and during transportation. Their software systems should be modern, reliable and secure so that they can track letters properly while in their care. Finally, they should have exemplary employment security, including background checks and drug screening for staff.
Healthcare companies that don’t put security first when sending personal information through the mail have a lot to lose. Financial capital and reputation are both at stake, and regulators are taking an increasingly strict view of violations. By keeping privacy top of mind when managing these sensitive paper-based documents, insurers can ensure that they protect their customers’ interests and preserve their ability to do business in the future.
Visit pitneybowes.com/us/presortservices for more information.