Safe Data, Secure Mailing
White Paper 3.0
Is Your Printing & Mailing Environment Safe?
What is Secure Mailing?
Secure mailing ensures that patient data is used and released properly when mailed. The process involves security efforts that keep information safe when it is gathered, sorted, printed, and mailed.
For healthcare payers and providers, securing information when mailing is not just an important step, but one required by law. HIPAA protects the confidentiality and security of health information. It doesn’t take away an organization’s ability to contact patients or family members, but it determines the type of information that can be used in materials.
Did you know that $7 billion is lost annually because of HIPAA data breaches? Being risky with sensitive data is not only monetarily costly but also quickly damages a healthcare organization’s reputation.
The Big Stuff: PHI and PII
The first step of security is understanding what information cannot be shared by mail. Most healthcare organizations are well versed in the ins and outs of PHI and PII, but here’s a refresher.
Personally Identifiable Information (PII) refers to information that can be used to distinguish or trace a person’s identity, including:
- Name
- Social security number
- Driver’s license or identification card number
- Credit or debit card numbers
Protected Health Information (PHI) is any individually identifiable information (past, present, or future) pertaining specifically to health, including:
- Mental health history
- Healthcare services
- Payments for healthcare
Without a patient’s written consent, the following PHI can be used in direct mail:
- Patient demographics
- Health insurance status
- Dates of patient care and division or area of service
- Treating physician
- Outcome information
However, the following information requires patient authorization before using:
- Diagnosis
- Nature of services
- Specific treatment
Being risky with sensitive data is not only monetarily costly but also quickly damages a healthcare organization’s reputation.
Responsibility, Continuity, Security
A good rule to follow when securing data is: the level of security must match the level of data sensitivity. In other words: lock down the big stuff.
Data security measures should include:
- Disaster recovery plan
- Intrusion protection and detection
- Offsite data backups
- Operations and communications security
- Restricted access 24/7
- Strict audit controls
- Transmission security
Certain employees should be dedicated to maintaining these security measures, but all employees must comply.
To ensure compliance, consider the following steps:
- Train employees on HIPAA policies and procedures
- Keep documents that contain PHI well concealed (not out on main reception desks or on computers that can be seen from the waiting room or lobby)
- Conduct an annual risk assessment to pinpoint any security gaps
Additionally, printed data with PHI should always be shredded and disposed of properly when it’s no longer needed.
These guidelines are not just for healthcare organizations, but also for their partners. Anyone who is handling sensitive data needs to be aware of and practice internal security efforts.
Avoid the Breach
Most healthcare companies outsource the creation and production of their mail with a HIPAA-compliant marketing partner. Having a business associate agreement (BAA) with anyone who transports, stores, or processes PHI information ensures that all partners have set rules for what data they have access to, how they protect it, under what circumstances they can disclose it, and what they should do in case of accidental disclosure.
Creating a HIPAA-compliance checklist will identify which business partners are handling info, making it easier to keep track of data and to also prepare a process for auditing. This checklist should also have procedures for documenting any changes in hardware, software, organization structure, and employees internally and externally. Reviewing this checklist and conducting HIPAA security risk analyses should happen at least once a year.
It could be catastrophic to work with a partner inexperienced with HIPAA compliance. Take time to review all potential partners in depth to find one that matches the same level of reliability, security, and preparation required by law.
Who is Graphcom?
Graphcom is an unconventional marketing firm: equal parts creative studio and production powerhouse. We specialize in healthcare communications and take patient data security and privacy very seriously. From our creative division to our printing and mailing facility, only a select team handles PHI so your info is in safe hands at all times.
Privacy is our priority. We don’t just comply with HIPAA rules and standards—we go above and beyond them, so our healthcare clients can rest easy knowing that their sensitive data is secure. By securing your PHI, we free up more time for you to focus on bigger plans, bigger projects, and the bigger picture for your company.
Our Security Capabilities
Restricted Access Facility 24/7 (Limited physical access to premises; Access reviewed regularly; Video surveillance) // Information Security (Managed intrusion protection and detection; Audit controls; Security monitoring; Log retention; Regular penetration testing; Transmission security; Secure network (fiber optic); FTPS encrypted transfer; HIPAA/HITECH/ISO 27002 compliant // Workforce Security (Pre-employment background screening; Mandatory security awareness; Mandatory HIPAA, Medicare fraud, waste and abuse training every 6 months; Employees and suppliers checked against the List of Excluded Individuals/Entities (LEIE) and System for Award Management (SAM) monthly) // Disaster Recovery Plan (Redundant power and internet service; Offsite data backups at a tier 4 data center; Business continuity plan tested regularly)
Does Graphcom Sound Like a Good Fit for Your Organization?
If you’re a covered entity and need a strong, reliable marketing partner, let’s talk.