A recently-released report indicates companies classified as Business Associates by HIPAA are experiencing increases in data breaches and security incidents. Furthermore, they may not be fully prepared to prevent privacy breaches, or react effectively when a problem occurs. Print and mail service providers that create documents for hospitals, clinics, insurance companies, and medical labs are among those entities HIPAA defines as Business Associates.
In their Fifth AnnualBenchmark Study on Privacy & Security of Healthcare Data, Ponemon Institute LLC expanded their report for the first time to include Business Associates (BA's). According to the study sponsored by ID Experts, the average cost of a BA privacy breach is $1 million. The average breach affects 5,000 records and half the organizations included in the study said they have little to no confidence in their abilities to detect all patient data loss or theft.
Although Business Associates don't seem to be as big a target for criminal attacks as their customers so far, the latest study reveals malicious criminal activity has increased 125% for healthcare organizations over the last five years. The increasing threats have prompted healthcare organizations to place an emphasis on securing their data and systems. As their customers make investments to decrease their vulnerability, BA's must do the same to avoid becoming the easier mark for criminals.
Note the BA's covered in the study included various types of businesses. Print and mail service providers were not segmented separately.
Document Operations Processes Criminal-Attractive Data
The most common patient data targeted by thieves is billing and insurance information, followed by payment details, medical data, and prescription information. Print/mail service providers process much of this material as they generate paper and electronic bills, insurance claim forms, lab results, and more. They definitely handle data of value to criminals.
Criminal activity isn't the only threat to print/mail service providers though. Only 39% of Business Associates experiencing data breaches attributed the incidents to criminal activity and 10% to malicious insiders. That means about half the privacy breaches at BA's resulted from innocent mistakes, not deliberate crimes.
Error-Induced Privacy Incidents Just as Likely
Incidents such as double-stuffed envelopes, out-of-sync duplexing, paper jams, and accidently mixed data files can account for some of the failings. Lost or stolen computing devices, insecure storage or disposal, and paper documents accidently falling into the hands of unauthorized persons would also be counted as errors rather than intentional data theft.
When it comes to preparedness, fewer than half of the Business Associates say they have adequate policies, procedures, technologies, and personnel to prevent, detect, and resolve data breaches. When an incident does occur, a little more than half of Business Associates said they do not perform a HIPAA-required 4-factor risk assessment. This is the process prescribed to determine if a data breach requires notification.
Since they started publishing their findings five years ago, the Ponemon report has been interesting from the health organization perspective. With the addition of Business Associates in the 2015 version, it is possible to see for the first time where BA's stand as part of the overall personal health information security issue. The statistics reveal areas where Business Associates might make improvements.
Enforcement of HIPAA-HITEC regulations has increased over the last couple of years, as have the reactionary and preventative measures enacted by health organizations. The national Blue Cross/Blue Shield Association just announced plans to provide identity theft protection as a permanent benefit to all 106 million of their members, for example. It is reasonable to expect health organizations will begin requiring more stringent controls, audits, and certifications from their print/mail service vendors to protect against the embarrassment and financial fallout of a privacy breach.
Don't Wait for a Breach
Some print and mail service providers won't be able to afford an outside assessment and certification. They can, however, lower the risk of experiencing a privacy incident by doing their own analysis. Service providers can take a look at data handling methods and storage, consider encryption techniques, destroy confidential information after use, and establish policies for portable devices. Using in-house or external resources they can search for points in the workflow where human error could cause a problem.
The paper-centric portion of the workflow must not be ignored. Throughout print and finishing operations it is important to make sure documents are properly tracked through the shop and they make it into the correct envelopes. Employees must be trained on security and quality control procedures, with training reinforced and updated regularly.
Privacy breaches can be proportionally more costly to Business Associates than to their customers. The expense of bringing an operation into compliance rapidly, responding to inquiries, hosting auditors, or losing business because of a HIPAA violation could be devastating. An unexpected million dollar expense would be a significant blow to most print and mail service providers.
The Ponemon report indicates BA's could probably improve their security incident prevention and response procedures. Document service providers would likely spend less by assessing their security measures and making improvements now. Reacting to an incident after it happens will probably be much more expensive.
Mike Porter is President of Print/Mail Consultants. He writes constantly about topics of interest to the communications industry. To keep up with Mike's tips, trends, and commentary visit www.printmailconsultants.com and sign up for Practical Stuff - a free newsletter for customer communication professionals or follow him @PMCmike on Twitter.