Everyone dreads a data breach. We constantly hear about companies who have fallen victim to ransomware, phishing, and data theft. No one is immune, not even companies who print and mail documents for a living.
Bad publicity and the impact on customer relationships occur when a privacy incident happens. What comes afterward can be even worse. A breach or complaint can prompt an investigation which often reveals HIPAA violations. I’ve read many accounts of organizations that faced HIPAA fines or were forced to undergo successive audits because investigators found deficiencies in how the company handled data, prepared for a privacy incident, or trained their employees. A document processing mistake that results in the loss of personally identifiable information (PII) can trigger an expensive list of remedial activities that document service providers must undertake.
One common error made by companies handling PII is failing to meet the HIPAA standards for readiness. If someone files a privacy complaint, an investigation may question your procedures for protecting PII. Your company’s ability to respond to a breach will also be examined. A recent survey of group health plans revealed sponsors were not compliant in several areas. Many were unprepared for a compliance investigation or HIPAA audit. I suspect Business Associates (BAs), including print and mail service providers, would not fare much better if similarly scrutinized.
The US Health and Human Services Office of Civil Rights (OCR) is the entity that enforces the HIPAA laws. In recent years, the OCR has increased the number of breach investigations and imposed some of the largest settlements in HIPAA history.
Compliance Isn’t Easy
According to the 2019 HIPAA Readiness Survey, only 39% of the respondents had reviewed or updated their HIPAA privacy and security processes and practices with the last year. Considering the rate at which new threats evolve in combination with fast-developing technology that print and mail companies implement in their workflows, neglecting to update security procedures is a risky business practice. If the OCR determines your company’s actions regarding HIPAA-required risk/threat analysis is inadequate, it could mean trouble for your organization. The OCR might decide your lack of a recent written threat analysis is evidence of “willful neglect”, which generates the biggest fines.
Workforce training is another area where most covered entities in the survey were at risk. Only 42% of them said they had conducted HIPAA workforce training within the last year. 13% only trained at employee onboarding times. HIPAA requires companies to train new employees, and refresh the training anytime procedures change, or when new rules or guidelines are issued. When you train employees, keep a record of when you delivered the training and who attended.
Updating procedures and training employees about them is only effective at preventing privacy breaches if the procedures are followed. Operational reviews, to verify privacy and security practices are in use, apparently aren’t done very often. Only a third of the survey respondents could say for sure they’d ever performed an operational review.
Don’t Let Compliance Be a Problem
Most of the participants in the 2019 HIPAA Readiness Survey have over 500 employees. A quarter of them have more than 25,000 employees. These are organizations that have more resources than the average print and mail service provider, and yet they struggle with following the HIPAA rules. Smaller companies are likely facing similar scenarios.
It’s difficult to take time away from daily business issues to handle items like those mentioned here, but it may be costly to ignore them. If you suspect your organization couldn’t document your security and privacy readiness in case of a HIPAA inquiry, it might be time to assign compliance maintenance to a staff member and begin working on any deficiencies you find.
You may believe your exposure is low because you’ve put the procedures in place to prevent malicious or accidental actions that result in privacy incidents. But if you process documents covered by HIPAA, the cost of following the guidelines will seem minor compared to the resources you must consume to respond to investigations, undergo multi-year audits, or pay the fines imposed by the OCR. Do everything possible to make sure violations don’t occur, but be prepared in case it happens.