Aug. 10 2006 05:17 PM


Until recently, most managers of high-volume print/mail finishing operations viewed efforts to assure the integrity or privacy of customer messages as a way to bolster customer satisfaction and boost throughput. Indeed, investments in the new technology aimed at assuring mailpiece integrity, such as file-based processing, were often justified on the basis that they:


Yielded superior customer relations Consumers today are increasingly intolerant of poor quality, and it is considered just "good business practice" to deliver transaction-based documents that are totally accurate.


Improved processing performance Eliminating defects helps lower costs by reducing the costly and time-consuming work of correcting errors and regenerating accurate messages.


Both of these goals remain valid and worthwhile. But efforts to achieve assured mailpiece integrity or the total privacy of messaging especially for firms engaged in financial and health-care-related services are now being advanced by a third factor: the need to comply with new federal regulations concerning the privacy of consumer information.


Some of these new regulations come with penalties for lack of compliance. And while these penalties are as yet unspecified, they could be stiff, such as costly fines, the risk of civil suits or even criminal prosecution for those who intentionally or habitually ignore the new rules.


One set of the new federal regulations is called the Gramm-Leach-Bliley Act and concerns the privacy of consumer financial information. The second set is called the Health Insurance Portability and Accountability Act and, among other things, impacts how consumer health and medical information can be handled and communicated.


The Gramm-Leach-Bliley Act affects customer messaging centers because it restricts how financial firms can share or otherwise disclose consumer financial information that they acquire in the routine course of business.


Firms impacted by Gramm-Leach-Bliley include banks, insurance companies, mutual fund companies, investment and brokerage firms and credit and charge card processors.

In a nutshell, the Gramm-Leach-Bliley Act requires these financial services firms to inform consumers about how they intend to share information and provide a mechanism for consumers to "opt out" or otherwise prohibit the sharing of personal financial data.


The second set of Federal regulations, known as HIPAA, is far more comprehensive and is meant to assure, among other things, that an individual's private health care data remains confidential. And its penalties for non-compliance are extremely broad. Although HIPAA became law in 1996, it remains a "work in progress" because the Bush Admin-istration has recently delayed its full implementation.


Still, for firms involved in health care insurance, for example, the impact of HIPAA will be significant and will center on the need to implement technology and procedures to assure that confidential health care data, which is commonly contained in both paper and electronic statements and other messages and documents, cannot be misassembled or misdelivered or otherwise accessed or disclosed either inadvertently or intentionally.


And although HIPAA is targeted toward the health care industry, the goals and procedures it outlines can serve as a guide for any firm seeking to assure the integrity and privacy of its customer messaging operation. And once fully implemented, it may even serve as a model for other industries.


Background on HIPAA

HIPAA became law on August 21, 1996 and emerged in response to complaints from consumers who were denied health care insurance when they changed jobs or legal status (i.e., were married or divorced), due to pre-existing medical conditions.


In essence, the act restricts the ability of a health care insurer to reject an individual for insurance coverage based on pre-existing medical conditions. The act was expanded to include provisions for reducing health care fraud, for guaranteeing the security and privacy of health information and for enforcing standards for (i.e., promoting the use of) the digital transmission and storage of health information.


The act encompasses health care providers such as physicians and hospitals, health care plans such as insurers and health care information clearinghouses and related entities known as business associates. However, since insurers produce the greatest volume of physical documents in the form of enrollment forms, EOBs, checks and claim status letters, they are potentially at the greatest risk of non-compliance with the act.


In plain English, the privacy and security requirements of the act (which are the key concern to customer messaging operations): define the type of health care data that is protected by the act.

  • Specify the need to obtain patient consent prior to the use of the health care data

  • Outline policies and procedures to ensure the security and accuracy of the data

  • Prohibit both the accidental and intentional unauthorized disclosure of data

  • Outline the need to establish a documented "chain of custody" for the data and documents

  • Set both civil and criminal penalties for non-compliance


    The language of the act is comprehensive. For example, it defines "protected health care data" as "any individually identifiable health information in any form ... that is held or transmitted by a covered entity."


    Under the provision for Security and Accuracy of Data, it requires firms to adopt security policies and procedures encompassing both physical and technical safeguards that prevent any unauthorized disclosure. And it defines unauthorized disclosure just as broadly. Unauthorized disclosure can be either intentional and fraudulent or unintentional, accidental or even unnecessary.

    Another key section of the act concerns the chain of custody of health data or documents. Here, the act permits only the minimum level of access to the data/document that is necessary to carry out approved actions and processes. Plus, the act stipulates that the firm must document who has had access to the data and for what reason.


    Responding to the Challenge

    For managers of customer messaging centers that need to comply with the act, the challenge is significant but not overwhelming. For example, at each step in the messaging process, they need to:

  • Assure that access to data is authorized

  • Confirm that the routing is correct

  • Assure that the content is accurate

  • Document the process

  • Account for the data


    The difficulty may come from the fact that, until recently, the vast majority of the industry focused primarily on the print/mail finishing component of customer messaging almost exclusively. Fortunately, there is now a growing awareness in the industry of the benefits of managing the entire "life cycle" of the customer message as an interrelated five-step process that encompasses all the activities related to message creation, production, distribution, receipt and database updating.


    As a result, innovative firms, such as the ones employing "closed-loop" or ADF-style processing and control technologies like Direct Connect for assured mailpiece integrity, are well on the way to assuring privacy and compliance with the act as well.


    Still, it bears repeating. At each step in the messaging process from updating the customer database, to transferring data to applications, to manipulating the print stream for value-added processing, to composing documents, to managing print resources, to distributing data and messages electronically, to printing and inserting documents, to sorting completed mailpieces the act requires that steps be taken to assure the security and privacy of health care data.


    Mark Proft is the director of Strategic Marketing for Pitney Bowes Document Factory Solutions. For more information, please visit


  • {top_comments_ads}