What is HIPAA and how can it be violated?
HIPAA stands for “Health Insurance Portability and Accountability Act”.
This federal law was enacted in 1996 to protect Patient Health Information (PHI) from being disclosed without the patient’s consent or knowledge.
Anyone who has access or comes in contact to this protected health information is required to ensure this information is only provided to those who require access.
Individuals requiring access could range from the doctors who treat the patients to the mailing staff who process outgoing mail.
HIPAA Requirement Related to PHI
Individuals handling PHI information are required to take courses that teach who and what information is authorized to be shared.
There are certain rules for each approved method used for sharing PHI information, such as encrypting emails or using secured phone lines. Though emails and phone calls are quick and easy, there are many security risks associated with them, so many organizations choose to communicate mostly through mail. While sending PHI documents by mail avoids many risks, there are common mistakes that could lead to violations.
Pages Stuck Together
Static, humidity, and technical issues can cause pages to stick together and be folded and inserted into an envelope together.
This means a patient’s PHI could end up going to the wrong address. When handling large mailings, pages sticking together is most always a risk.
Tips to Minimize Pages sticking together
- To reduce static, use an inkjet printer for documents that are processed with a folding/inserting machine.
- Paper and envelopes should be stored in a climate-controlled environment.
- Ensure your equipment is in working order and properly maintained.
- Envelopes produced should be validated to match the document volume.
Purchase and use barcode /scanning software and equipment to guarantee the correct documents go into the correct envelopes. This is a more expensive option, but can also provide peace of mind, especially when handling very high volumes or multiple number of pages per envelopes.
Discarding Mail Improperly
Misprints, overprints, and unwanted mail containing any type of PHI should be disposed of properly. Just like an old credit card, you do not want this information getting into the wrong hands. This information should always be shredded before being thrown out or recycled. For extra security, you may want to reach out to a professional secured document shredding agency.
Personal Information visibile in envelope window
One of the easiest violations to overlook is PHI being visible through the envelope window. Any identifying information other than the name and address such as an account number, date of birth, appointment information, etc. should not be visible through an unopened envelope.
It is important to remember that documents can move around in the envelope.
Sometimes refolding the documents can resolve this, but if you still have issues, make sure to space the address block far enough away from any other identifying information.
Pitfalls of Using Postcards
Postcards are convenient to use, but when using them to send out appointment reminders, they can become problematic. Regular two-sided post cards can be used if you are sending out a generic reminder to set up an appointment.
If your card contains any specific appointment information, this is considered PHI and should not be visible from the outside. One alternative option could be to use a greeting card format with a flap and make sure all open edges are securely shut.
The other option, which may be a safer solution, would be to use envelopes with your postcards.
Using Discount Postage when Mailing PHI
Marketing Mail postage such as Marketing Mail or Nonprofit Mail, is the least expensive method of sending out large quantities of mail.
Marketing Mail is the service with the lowest service level available through the post office and does not provide any return mail services… therefore, it is very important to always send any mail, including PHI, as First-Class or higher.
If you send out large amounts of First-Class mail regularly, consider utilizing a presort service for additional discounts.
Not Verifying Mailing List – Importance of USPS National Change of Address
Although it is not a requirement with First-Class Mail, it is important to verify your mailing lists against the USPS National Change of Address (NCOA) database. According to the US Census Bureau, 31 million people move each year, and it is important to ensure your mailing address captures any changes to an individual’s address. The USPS certifies Mail Service Providers (MSP) who provide NCOA services.
Using the results of address verification with NCOA processing you can either update your mailing address or reach out to recipient to verify the change, depending on specific business requirements or industry regulations.
Personalized Letter in the Wrong Envelope
Personalized mailings utilizing a pre-printed envelope or mailing labels. These mailings create a risk, as the envelope contains personal information that does not match the name and address on the envelope.
This is a serious breach of PHI regulations, as someone will receive PHI information for someone other than themselves. Although some may feel this type of mailing is more personal and preferred, the risks need to be considered.
The safest way to avoid this mishap is by either making the letters non-personalized if possible, or by including the address block on the letter itself, allowing it to show through the envelope window. With this method, the name and address are only printed once.
From treating patients within the hospital, to mailing information to their homes, each step is just as important as the other when it comes to the security of Protected Health Information.
“Many HIPAA violations related to PHI information are the result of negligence”
Performing an organization-wide risk assessment would be a smart move for all businesses. Taking the extra precautions and focusing on details that are normally overlooked can prevent your organization from facing financial penalties, criminal charges, and damage to the organization’s reputation.
Make sure you do your research before acting, reach out to the experts and educate those around you. The more effort you put in now to minimize risk will save you important time and money in the future. For standard HIPAA rules and guidelines, you can go to: https://www.cdc.gov/phlp/publications/topic/hipaa.html.
Onsite Management Group’s team members are required to hold a current HIPAA certification. We preserve the confidentiality of protected health information (PHI) through every phase of printing, mailing, fulfillment, shipping, and delivery.