Your Document Production Center and HIPAA

Do you process any documents that contain information protected under HIPAA?

If you don’t immediately know the answer to that question, your organization may be lacking some of the controls, procedures, and safeguards that are recommended or required by the HIPAA privacy regulations.

Generally speaking, print/mail service providers who create and mail doctor bills, medical lab bills, hospital bills, health insurance claim forms, or any other document that contains health information that identifies a specific individual is probably categorized as a Business Associate of the company or institution for whom they do the work. As a Business Associate (an official HIPAA term), print/mail service providers are held to the same privacy-protection standards as the originators of the data.

Given that definition, care to answer the first question again?

Once you’ve decided that you are probably responsible for safeguarding health information protected by HIPPA there are a whole host of areas to consider about how you receive, handle, and process the data. A thorough audit may be necessary to assess your level of risk when it comes to intentional or accidental breaches of security.

Where I usually get involved is in the last step of your process. Making sure the documents get printed correctly and are accurately inserted and mailed is an area where clients call for my opinion and recommendations.

Other than malicious hacking or intentional identity theft, printing and mailing errors are probably the biggest risk in document production centers. And frankly, some operations don’t take it seriously enough.

We know of shops that still use the clipboard method of mail piece integrity control. They get counts of how many envelopes should be in a batch, note the beginning and ending meter readings on the inserting machine and check at the end of the job. If the counts match, the mail trays head out to the Post Office.

The batch-balancing method was fine in the past for applications like direct mail advertising, although one could argue that with variable data printing, even these types of jobs now require better control. But consider medical bills with variable page counts. Pages with only OMR marks (or no marks at all) are subject to un-catchable errors. The piece count can balance just fine, but you may have revealed personal and protected medical information to someone other than the patient by inserting a page into the wrong envelope. That’s a HIPAA violation and it can cost you money in fines or to defend yourself against a lawsuit. Not to mention the adverse publicity and possible loss of customers.

I know it can seem like a big investment to implement identifying control numbers and an automated tracking mechanism. But to stay in business today, you have to be able to assure customers that you’ve got a system in place that protects them from the kind of embarrassment and negative notoriety that comes from being accused of HIPAA violations. Otherwise, customers will find another provider who has the technology to do the job.

There lots of bad things that can happen during the production process. The clipboard system or other manual procedures can’t always be counted on to catch those errors either. Some errors that can affect large numbers of patients, not just one or two whose documents got double-stuffed.

If you are going to be in the business of handling documents covered by HIPAA, you and your customers will sleep better knowing you have systems in place that keep you out of trouble. I recommend that you assess your risk and then take appropriate action to prevent inadvertent violations.

For more information on HIPAA regulations, see the reference page at http://www.ironsidestech.com/resources-hipaa


Bill Riley