Regulatory compliance is, at worst, a scary thing and, at best, a huge cost of doing business. What it means to comply varies depending on industries and applications, making it especially tricky for document services companies that work with clients covered by different regulating authorities. Non-compliance is a risk for both the companies and their customers. Ensuring their organizations don't run afoul of the law is an ongoing concern for many company executives.
The applications that document service providers use to create and distribute documents are frequently a collection of hardware and software products from multiple vendors. Sometimes the same function is handled by several pieces of software. It’s not unusual, for instance, for a large enterprise to use a dozen different systems to compose documents. Unintegrated applications make it difficult to control operations and prevent privacy breaches, but they also hinder efforts to respond to alleged security violations. A comprehensive system that collects all the data in one place is needed.
In healthcare, HIPAA, HITRUST, and HITECH protect the medical information of individuals. When privacy incidents occur, the government can investigate and audit the offender. Covered entities, including Business Associates like document services companies, can be fined or forced to make substantial changes in their operating procedures. In the financial world, regulations like Sarbanes-Oxley (SOX) and Gramm-Leach-Bliley (GLBA) come into play. Insurance companies face regulations of their own that can vary from state to state.
A common problem for organizations that find themselves under investigation because of a suspected security breach is a lack of internal audits and procedures. An investigation that reveals a print and mail service provider did not implement adequate controls can compound the problems caused by the initial infraction. Remedying the workflow or documentation deficiencies can have a greater negative impact on the company than the original breach incident!
Unintegrated Processes
Many document service companies that produce and distribute paper and electronic documents on behalf of their clients work with a patchwork of software and hardware solutions. How a company processes their jobs depends on the clients or the applications. Some job steps may be manual. Many steps do not fully integrate with other processes. The company never combines the data from individual applications to give management, or their clients, a complete picture of the entire document workflow.
Because of this arrangement, quality controls may be lacking, documentation could be spotty, and comprehensive, ongoing audits are impossible. Environments like these also make it easy for employees to make mistakes that result in a regulatory infraction!
Print service providers and in-plant print operations are generally concerned with three facts concerning regulatory compliance:
1. Is it right? Are the documents composed correctly? Do they contain accurate information belonging only to the intended document recipient?
2. Was it produced? Did all the documents make it out of the document generation step? If they are physical documents, did they all get printed?
3. Did it go out? Can the service provider account for every document and prove when it was conveyed to the postal service or other carriers?
When a regulator asks you to prove those three points for a specific mailing 90 or 120 days ago, can you do it? Perhaps, but I bet it’s not easy. The manual process of gathering logs and manual records to piece together the progress of a mailing from data reception through delivery to the Postal Service might cause auditors to question the accuracy of the information. Undocumented gaps might spur further investigations or trigger more audits that disrupt your operation and cause key employees to focus their attention away from other critical tasks.
It is better if all your diverse systems report to a common place. That’s what a customer communications management (CCM) integration platform does for you. These kinds of software platforms vary in approach, but the idea is that they become your master system that manages the work and, for many tasks, performs the work. That does not mean you throw everything away and start over, but rather, a good platform wraps around the software and hardware you already have.
Here are some examples where a CCM integration platform either prevents your company from being accused of a regulatory violation, or makes it easier to respond should a violation occur.
SCENARIO 1: A Missing Mandatory Mail Piece
The platform’s proofing and approval function may allow clients to suppress certain documents from being printed. The system records exactly when this happened and who did it. It’s a more powerful argument of innocence than your employee’s vague recollection of a similar client instruction conveyed by phone.
SCENARIO 2: Customer Personal Information Leaked
The platform’s automated workflow ensures data is encrypted at rest and at key points in the production process. Measurements from the system show the dates and times data was received, encrypted, processed, and destroyed. It also shows what people and systems have access to the data. This information creates a timeline and evidence of how the data is handled.
SCENARIO 3: Mis-Directed Documents with Personal Information
For applications where documents are distributed via multiple channels, each recipient of the documents may manage their delivery preferences via an online portal or some other seamless interface to the CCM integration platform. An investigation into the stored preferences in the CCM system shows when a recipient changes their channel designation and which physical or digital address they supplied. The document services provider can prove they attempted delivery via the customer’s selected channel.
SCENARIO 4: Regulated Data/Documents is Wrong
What do you do if you’re asked to produce an image of a single document or a series of documents sent to an individual if they were printed months or even years ago? Having versions of the data and documents as they travel through their production and distribution lifecycle takes the pain out of identifying faults or proving accuracy.
Compliance auditors look for documentation that proves a document service provider is following the regulations. Many companies are unable to produce a reliable accounting of how they processed certain jobs. An ad hoc explanation of how they prevent personally identifiable information from being seen by unauthorized individuals may not be acceptable. Document service providers should back up their claims with logs, statistics, and an accounting of actual processed work.
Manually producing documentation when under the pressure of a regulatory investigation can lead to inconsistent reporting or missing data. A CCM integration platform collects and reports on the data and the process, making incident response less risky. The time to work on a security incident response strategy is before a breach happens, not after.
Matt Mahoney is the Executive VP of Sales and Marketing at Racami, a fast-growing and innovative software, IT services, and staffing company that improves the performance of customer communications processes and advances multi-channel initiatives. He is responsible for cultivating Racami’s relationships with customers and partners involved in the production of highly regulated consumer communications, direct marketing, and book publishing.
This article originally appeared in the July/August, 2020 issue of Mailing Systems Technology.