Hackers and electronic data breaches dominate news stories when it comes to HIPAA breaches. But have you thought about your practice or facility’s vulnerabilities when sending protected health information in the mail? In one of many examples of a mailing gone wrong, an insurance company sent notices regarding treatment of its members to the wrong addresses and the insurance company had to take remedial measures under an agreement with the Office of Civil Rights (OCR) in 2018. Trust me, you don’t want the OCR knocking on your door, so read on for tips on how to prevent a HIPAA breach via mail:

  • Take extra precautions when packaging protected health information. When sending protected health information through the mail, print instructions clearly on the envelope stating the mail should be returned to sender if an unintended recipient receives the mail. This reduces the risk that a breach will happen when a patient’s address is not updated. Also, when sending a disk or other media through the mail, encrypt or password protect the disk or media as an additional safeguard.
  • Check your internal processes for sending mail. Determine whether there is a high risk of human error or otherwise in your process for sending mail and make sure that you address each area of risk. Think about it: a simple misstep when formatting and printing out labels for envelopes could turn into a massive HIPAA breach if names were incorrectly matched with addresses. Employee training is key.
  • Make sure you have business associate agreements in place with vendors handling mailed protected health information. If your facility or practice has vendors sending bills and other protected health information in the mail, make sure you have business associate agreements in place. Also, screen your vendors with regard to their HIPAA compliance. Even though the vendor would be liable in the event of a breach, the ripple effects to your practice or facility, like the effect on reputation and perception of security with patients, are important to consider.

Don’t overlook good old fashioned mail when considering risks and vulnerabilities at your practice or facility. A significant amount of protected health information is still sent through the mail, and particularly through vendors, so take time to think through your practice or facility’s processes for sending mail or check to make sure you have updated business associate agreements in place with vendors that mail protected health information.