According to statistics compiled by the Department of Health and Human Services
Office for Civil Rights (OCR), the number of healthcare data breaches so far in 2016 exceeds the total incidents reported from 2009 to 2013. Document Data Solutions customers deal with confidential data all the time. They cannot ignore this trend. Protected Health Information (PHI) is a hot item and preventing this information from falling into the wrong hands is getting more difficult.
When we think about data breaches, we envision hackers burrowing their way into computers over the internet. This is happening every day. Other incidents occur when devices like laptops and portable hard drives are lost or stolen. Print service providers are vulnerable to malicious or accidental data exposure and they should take precautions to protect confidential electronic customer information their customers have transmitted to them.
Document Errors in the News
Printed documents are also sources of privacy breaches. Nearly all incidents of accidental disclosure via documents involve employee oversights. Uncaught printing and mailing errors can cause as much damage as a deliberate online attack.
In September, Pennsylvania-based Geisinger Health Plan exposed the PHI of over 2800 people. They blamed an unspecified mailing error.
The Veterans Administration reported 183 mis-mailing incidents in June 2015. Some veterans received medical supply, treatment, and diagnosis information meant for other veterans.
Two contracted firms hired by Howard University Hospital to mail collection letters disclosed the private health information of 1445 individuals. A "data error" involving patients sharing the same surnames caused the problem.
A Walmart vendor mailed letters bearing pharmacy information of other patients, along with properly addressed refund checks to over 27,000 customers last May.
The severity of a privacy breach does not necessarily affect the impact upon service providers. Even if an incident harmed no patients, HIPAA rules force service providers to take certain actions. They must send notification letters promptly and companies must file breach notices. The OCR will likely investigate.
Hospitals, clinics, or insurers that hire print/mail service providers must make sure the vendors comply with HIPAA regulations. Business Associate Agreements (BAA's) issued by health organizations spell out vendor responsibilities and the consequences for failing to perform.
Lack of Preparedness Can Be Expensive
An OCR investigation triggered by a minor HIPAA breach can uncover other serious procedural issues which can lead to even more expensive business disruptions. Avoiding an accidental breach in the first place is the best defense against OCR intrusion. Print and mail service providers found to be lacking controls that could have prevented disclosure of PHI can be subject to fines and audits. If a breach occurs, service providers tarnish their reputations and could limit future opportunities to work with confidential data.
Document tracking, matching, and verification systems like
iDataManager™ will catch errors that might otherwise make it through the production process and into the mail. If you are unsure of your exposure to the embarrassing and expensive aftereffects of a privacy breach, please call us. We'll be happy to evaluate your situation and recommend corrective measures. You can decide if you are comfortable with your risk level or if you need to invest in a plan for prevention.