HIPAA Compliant Mailing FAQ
Commonly Asked Questions About HIPAA Compliance in the Print-Mail Industry
Outsourcing your healthcare-related print and mail can have many benefits for your communications and business objectives, including:
• HIPAA-compliant print, mail and eDelivery
• Ironclad data security and privacy
• Increased savings on cost, time and resources
• Full workflow transparency
• Expertise of cross-channel communications
• Lowered risk of unplanned business interruptions with a DR/business continuity plan
• Access to the latest technology and innovation to improve communication channels
With over 40 years of HIPAA-compliant document processing and mailing expertise, we’re a trusted patient statement vendor whose solutions can reduce production costs, stimulate collections and comply with emerging regulations. We have worked with both healthcare providers and health insurance companies to securely process printed and electronic communications containing PII and PHI.
Print and mail companies like FSSI maintain HIPAA compliance by continually meeting all HIPAA compliant and security standards to keep sensitive data secure, including:
• Risks assessment
• Rigorous third-party audits
• Exceeding levels of administrative, physical and technical safeguards
• Secure printing, mailing and electronic presentment practices
• Risks assessments
• Penetration testing
• Vulnerability scans
• Employee education
• Penetration testing
• Vulnerability scans
• Employee education
Health information alone is not PHI, but when it includes one of these identifiers it becomes PHI:
1. Names
2. Medical record numbers
3. Email addresses
4. Phone numbers
5. Fax Numbers
6. Social Security numbers
7. Any reference to dates except year (birthdate, admission date, discharge date, and all ages over 89, including the year for those 89 and older.
8. Health plan beneficiary numbers
9. Account numbers
10. All geographical subdivisions smaller than a state, including street address, city, county, precinct, zip code and their equivalent geocodes, except for the initial three digits of a zip code.
11. Certificate/license numbers
12. URLs
13. Vehicle identifiers and serial numbers, including license plate numbers
14. Any other unique identifying number, characteristic, or code (note this does not mean the unique code assigned by the investigator to code the data)
15. Device identifiers and serial numbers
16. IP Addresses
17. Biometric identifiers, including finger and voice prints
18. Full-face photographic images and any comparable images
PHI is any health information that can be tied to an individual. This includes information used while providing healthcare, processing payments for healthcare or in health insurance. ePHI is basically PHI stored electronically on a hard drive, server, thumb drive or another electronic device.
The main HIPAA security requirements fall into three categories:
Physical – Includes the physical safeguards in place to secure access to physical equipment including computers, internet routers, data storage and other data devices.
Administrative – Includes the policies and procedures that impact ePHI as well as risk management, system architecture and maintenance related to these security measures. This also includes other administrative aspects like HR and employee training.
Technical – Includes the cybersecurity of the computers, mobile devices, encryption, network security, device security and anything related to the actual technology of storing and communicating ePHI.
The four essential HIPAA rules that govern compliance are:
The Privacy Rule –In this rule, any identifiable patient data is subject to privacy covered by the covered entity or associated business.
The Security Rule – This rule established the national standards for the mechanisms required to protect PHI data. These procedures extend across all stages of operations within the company. This includes technology, administration, physical safeguards for computers and devices, and anything that could impact the safety of Protected Health Information.
The Breach Notification Rule –This rule specifies what an entity must do when a security breach occurs. Organizations must have a plan in place to notify the public and victims in the event of a breach.
The Omnibus Rule – This rule states that HIPAA requirements also cover associates, contractors and anyone working with a company. These companies need to update their gap analysis, risk assessment, and compliance procedures accordingly to cover any individuals working on their behalf.
Depending on the needs of the client, FSSI can use address verification tools, such as the USPS’ Coding Accuracy Support System (CASS), NCOA and Move Update, to help ensure each statement, bill or invoice reaches the hands of its recipient. Working with a CASS-certified provider ensures that your address data follows postal formatting and requirements and is in compliance with USPS standards.
HITRUST stands for the Health Information Trust Alliance. It was founded in 2007 and uses the “HITRUST approach” to help organizations from all sectors – but especially healthcare – effectively manage data, information risk and compliance.
HITRUST certification by the HITRUST Alliance enables vendors and covered entities to demonstrate compliance with HIPAA requirements based on a standardized framework.
HITRUST was organized with the intent to provide an option for the healthcare sector to address information risk management across a matrix of third-party assurance assessments, with the hope of consolidating, reducing, and in some cases, eliminating the need for multiple reports. HITRUST refers to this design element as “assess once, report many.”
While FSSI does not have HISRUST CSF Certification, it has passed the HIPAA compliance requirements to be a HIPAA-certified print and mail provider. Both certifications have similar guidelines. Being HIPAA compliant ensures that FSSI follows the best practices for keeping highly sensitive data secure when accessing processing and storing protected health information.
HIPAA rules state that you must send PHI-related documents through First Class postal mail – never using standard mail. In some situations, you must use even Certified Mail, requiring the recipient to sign for the receipt of the mailpiece. An additional plus when sending mail certified, is that it’s also trackable, down to a signed record of delivery.
The following list includes examples of ways an organization can violate HIPAA – also extending to contractors and any vendor working with the organization:
1) Medical record mishandling
2) Lack of HIPAA compliance training
3) Failing to plan for cyber attacks
4) Using unencrypted technology to share PHI
5) Failing to perform a company-wide risk analysis
6) Disclosing incorrect patient information
7) Improper disposal of PHI, both physical and electronic data
8) Forgetting to sign contracts with vendors and other external associates to require them to follow the same HIPAA compliance standards
9) Social sharing
10) In-person discussion about patients or patient data
11) Failing to safeguard devices that could be stolen
12) Failing to get proper authorization to share records
Need an experienced HIPAA-compliant print and mail provider? Call 714-436-3300 today for a no-obligation consultation or to speak with a healthcare specialist about FSSI’s stringent data security and privacy practices.