HIPAA Risks for Document Operations

Rolling the Dice with HIPAA

Many facilities that produce documents containing personal health information (known as PHI to the regulatory authorities) don’t have a real appreciation for their exposure to fines, penalties, and negative publicity should the data or documents fall into the wrong hands. Document center managers should be aware this data is covered by regulations such as HIPAA and HITECH. The Office of Civil Rights is responsible for enforcement of the privacy laws and they have announced plans to expand audits and investigations.

Experts in HIPAA and HITECH talk about “Covered Entities” and “Business Associates”. Clinics, hospitals, labs, and health insurance companies are examples of Covered Entities. Outsource service providers such as billing agencies or document print and mail operationsare Business Associates. Historically, Business Associates have been responsible for more privacy breaches than Covered Entities. In a recent study, 57 percent of all breaches involved a Business Associate. The exposure is very real for any company that handles data or documents containing personal health information.

Hacking Not a Big Threat – Yet

Although stolen health information can be a valuable commodity to identity thieves, insurance fraud perpetrators, or illicit prescription drug rings, deliberate theft of PHI from outside criminals is actually fairly rare. Statistics show that thus far, hacking has contributed to a small percentage of reported HIPAA incidents.

That doesn’t mean document processing organizations can be lax about access to their data networks. Because of the high value of this data, some experts expect that criminals will continue to probe for weaknesses throughout data workflow. Those probes could very well include companies that print or mail patient statements, lab reports, hospital bills, or insurance forms.

Far more common than hacker activity is loss or accidental disclosure of protected information. This can come in many forms including physical printing, inserting, and mailing mistakes. Other reported incidents include improper disposal of printed material such as damaged documents, tests, or duplicates. Fortunately for document operations, automated safeguards and human quality controls can lessen their exposure to such occurrences. Processing documents bearing PHI requires an investment in control systems to ensure document integrity. Running an operation without such systems is risky.

BYOD (Bring Your Own Device) Management a Challenge

Security measures that concentrate on networks, firewalls and physical plant security/surveillance can sometimes miss a common practice – the removal of data, electronic images, or printed materials from the development or production environment. Flash drives, laptops, iPads, smart phones, and portable hard drives can account for much of the vulnerability. Over a third of information workers use their own portable devices at work. While the IT staff may be able to enforce policies such as data access and encryption on company computers, well-meaning employees who take their work home with them may be inadvertently exposing their employers and their customers to regulatory infractions should their personal devices be lost or stolen. Over the last couple of years, nearly 40 percent of reported PHI breaches occurred on a laptop or other portable device.

Violations Costly

Companies engaged in processing PHI data need to understand their financial exposure. The amount of the fines that can be assessed for HIPAA violations depend on the severity of the infraction and several other factors, including a judgment about whether the Business Associate knew or should have known about the violations. The fines can range from $100 to $50,000 per incident. Added to those amounts are fees for legal representation, public relations experts to repair tarnished reputations, re-work, damage control measures such as paying for credit monitoring, and loss of business.

Few providers of printing and mailing services can absorb high-level damages without severe and long-lasting consequences to their businesses. An audit of current practices followed by remedial actions and continuous reinforcement of policies just makes good business sense.