Some of the most common causes of the Health Insurance Portability and Accountability Act (HIPAA) violations are compliance problems associated with what the Office for Civil Rights (OCR) calls “willful neglect.” The OCR is a government entity charged with enforcing HIPAA regulations and punishing offenders. The investigative/enforcement arm of HIPAA can audit business associates (BAs) like mail service providers (MSPs) after a breach incident.

One item that has caused pain and expense to BAs is an inadequate risk analysis. The impact of a missing or unsatisfactory HIPAA risk analysis can be greater than the fallout caused by the original error or privacy incident. Time and resources spent facilitating the audit and making workflow adjustments can disrupt production and shift management focus from other important business activities.

Willful neglect means organizations knew or should have known personal health information (PHI) was at risk and they did not take sufficient preventative actions. A print/mail company can lessen their exposure to regulatory action by performing an internal risk analysis, which HIPAA requires under their privacy rules.

HIPAA classifies print/mail organizations that process documents such as health insurance claims, benefit forms, lab results, or hospital bills as BAs. They are subject to the same level of scrutiny as their healthcare provider customers. Should a privacy incident trigger an audit, print and mail service providers can find themselves in trouble if their risk analysis is inadequate or they have never produced one.

The breadth and complexity of a HIPAA risk analysis will differ among companies. Here are some questions most of these exercises will answer:

  • How is PHI received, stored, and transmitted? How do you dispose of PHI when finished with it?Be sure to analyze electronic data and paper documents, including procedures for finished and damaged pages.

  • Where are your vulnerabilities for PHI privacy breaches?
    Include malicious intrusion and accidental data loss. Be sure to cover printing errors or mistakes made during collating, inserting, and mailing.

  • What are your security measures? How are you safeguarding the PHI?
    This can cover more than firewalls for your networks. You should include policies about personal devices, physical access, or data encryption. Your risk analysis should describe quality control measures meant to prevent or catch physical document anomalies such as:
    --Duplexing synchronization errors
    --Double-stuffed envelopes
    --PHI showing through envelope windows
    --Data matching mistakes
    --Distribution list errors

  • How would a security breach affect you?
    Think about the impact to your business, your customers, and the patients affected by a breach.

A HIPAA risk analysis will uncover hidden vulnerabilities and help you develop priorities for fixing them. Documenting the risk analysis is important should your company ever become subject of an audit or investigation associated with a HIPAA violation. Lack of a viable risk analysis can trigger fines or OCR-directed remedial action.

What’s in a Risk Analysis?

HIPAA and OCR do not publish a template for documenting a BA risk analysis. Print/mail companies don’t have a form to fill out or a defined set of steps to check off. Format and content of the HIPAA risk analysis is up to you. Just make sure it covers all aspects of your operation where you handle, process, or manufacture PHI.

Examples might include:

  • Data collection
  • Data storage
  • Encryption
  • Policies regarding data transportation or transmission
  • Reprint procedures
  • Document integrity measures
  • Mailing job balancing and verification
  • Facility access and monitoring
  • Secure destruction of printed materials

You should schedule periodic reviews of your risk analysis. HIPAA doesn’t require a specific time period, but they recommend annual reviews. Your business is always changing with new applications, new customers, and new technology. Reviewing your risk analysis at least once a year can assure nothing has been overlooked.

Risk Assessment – Not the Same Thing

Though many use the terms risk analysis and risk assessment interchangeably, HIPAA defines them differently. A risk analysis is a preparatory and preventative review of conditions that might expose PHI. Risk assessments occur after you report a breach. HIPAA risk assessments describe the impact of the incident.

HIPAA covers risk assessments with their breach notification rules. The assessment will answer important questions such as:

  • How many patients were affected?
    Breaches affecting less than 500 individuals may not require patient notification.

  • What is the extent of the compromised PHI?
    Breaches of financial information, social security numbers, or detailed descriptions of patient health and treatments are more damaging than documents that simply reveal patient names. Inadvertently sharing patient information with unauthorized family members is not as impactful as disseminating sensitive information to public portals.

  • Who accessed the PHI?
    Internal employees unlikely to use PHI unlawfully are a smaller risk than thieves who intentionally hack into systems or steal devices containing sensitive health information.

Prevention Is the Best Policy

Don’t rely on coverage like errors and omissions to protect you should the OCR penalize your organization. Your insurance policy may not cover losses caused by “willful neglect." It may not reimburse you for lost productivity while responding to HIPAA audits, remediation measures like re-mailing corrected documents, or purchasing credit monitoring services for affected patients.

A risk analysis is less expensive than dealing with a privacy breach that damages your reputation in the marketplace.

Not Just for HIPAA Documents

HIPAA requires a risk analysis be performed by BAs, but the same exercise will benefit print/mail companies that do not handle healthcare data. Scrutinizing your document production workflow to spot weak spots where mistakes can happen is a good strategy regardless of the documents you produce. Even if your company is not subject to OCR audits or fines, the business impact from malicious data breaches or document processing errors can be just as devastating. I recommend all my clients fix problems in their document production workflows before they occur, and avoid unpleasant phone calls about errors.

Mike Porter at Print/Mail Consultants works with in plant operations and print/mail service providers to optimize production workflows and prepare clients for the challenges and opportunities of the future. Connect with Mike directly at Follow @PMCmike on Twitter, or send him a connection request on LinkedIn.

Click here to return to the Quality Control topic page.