Some document production facilities fail to appreciate their exposure to fines, penalties, and negative publicity should data or documents featuring private information fall into the wrong hands. Document center managers should be aware this data may be covered by regulations such as HIPAA and HITECH. The Office of Civil Rights is responsible for enforcement of the health information privacy laws and they have announced plans to expand audits and investigations.

In the language of HIPAA, outsource service providers such as billing agencies or document print and mail operations are known as Business Associates. In a recent study, 57 percent of all breaches involved a Business Associate. The exposure is very real for any company that handles data or documents containing personal health information.

Hackers Get the Press, but Other Vulnerabilities More Common
Health information can be a valuable commodity to identity thieves, insurance fraud perpetrators, or illicit prescription drug rings. But deliberate theft of such information from outside criminals is actually fairly rare. Statistics show that thus far, hacking has contributed to a small percentage of reported HIPAA incidents.

Since health information can be more valuable to criminals than social security numbers or credit cards it stands to reason that crooks will continue to probe for weaknesses throughout data workflow. Those probes could very well include companies that print or mail patient statements, lab reports, hospital bills, or insurance forms. So document service providers should take the necessary precautions to protect the data from outside access.

But document production facilities should be just as concerned about loss or accidental disclosure of protected information as they are about malicious attacks. Accidental disclosure can come in many forms including physical printing, inserting, and mailing mistakes. Other reported incidents include improper disposal of printed material such as damaged documents, tests, or duplicates. Fortunately for document operations, automated safeguards and human quality controls can lessen their exposure to such occurrences. These measures are fairly easy and inexpensive to implement.

Processing documents containing private information really requires an investment in automated control systems to ensure document integrity. Running an operation without such systems is risky. And yet some organizations continue to rely on manual measures or older technologies that are no longer adequate to protect them against costly and embarrassing privacy breach incidents.

The Weakest Link
The trouble with most quality control procedures commonly used in many document operations is their manual nature. Staff members are tasked with checking job set-ups, verifying print quality, handling manual reprints, or balancing batches. Those steps, though prescribed, are not always performed. Or, they are performed in an offhand manner that will allow errors to slip through undetected.

I recall a news story about a state agency where a mail inserter operator set the machine to insert four pages into each envelope when it should have been set for one page. The result was the disclosure of private health information of three individuals to the addressee of each envelope. One could question the decision to run a job containing sensitive data without any inserter control barcodes. That was probably a bad idea. But even so, I have to believe the shop had some sort of balancing procedure in place that would have raised concern when the job produced only a quarter of the expected mail pieces! Clearly that step was not performed.

Besides operational errors or slipshod quality control procedures, employees can be the source of a privacy violation in other ways as well. One of the most common types of reported incidents is the loss or theft of unencrypted private information from laptops and portable drives. Well-meaning programmers, technicians, or document designers may take data files out of the document facility in order to do work at home. On their way they stop at the grocery store and when they return to the car their briefcase or computer bag has been stolen!

The theft is an incident that is required to be reported to the regulatory authorities. The responsible organization must take extraordinary measures to identify the individuals whose information was stolen and notify them. The company may be assessed fines and subjected to audits. It goes without saying that such an occurrence could have a devastating effect on the document processing firm's reputation and their customer relationships.

Violations Costly
The amount of the fines that can be assessed for HIPAA violations depend on the severity of the infraction and several other factors, including a judgment about whether the Business Associate knew or should have known about the violations. Ignorance is not a defense. The fines can range from $100 to $50,000 per incident. Added to those amounts are fees for legal representation, public relations experts to repair tarnished reputations, re-work, damage control measures such as paying for credit monitoring, and loss of business.

Few providers of printing and mailing services can absorb high-level damages without severe and long-lasting consequences to their businesses. Reviewing all the procedures in the shop and taking steps to minimize the risk can seem like a nuisance. But it is a lot better than experiencing the pain and hardship a privacy violation can cause.

Mike Porter is an expert in Print and Mail operations and President of Print/Mail Consultants, an independent consulting firm that helps companies nationwide improve their production workflows. As part of their services they assess security vulnerabilities for document centers. For more information visit and look for the section on the Document Security Audit.