All pharmaceutical and insurance companies, hospitals, medical practices, and related businesses must follow HIPAA guidelines when sending direct mail. This means entities must not produce a mail piece that shows any of the individuals private health information. How will this affect the direct mail campaign you’ve just created? Design Distributors explains the rules of HIPAA and how postal mail can be compliant in this brief guide.
The Health Insurance Portability and Accountability Act (HIPAA) was enacted in 1996. It was passed to ensure individuals maintained their health insurance between jobs (known as the Health Insurance Portability section) and ensure security and confidentiality of patient information.
Established in 2003, the HIPAA Privacy Rule created national standards to safeguard individuals’ protected health information (PHI), limiting its use and disclosure. The rule was passed to give patients more control over their private information, establish protocols and measures healthcare providers and others must implement to ensure privacy, set rules for how health records are released, and hold violators accountable.
The Security Rule applies to such data stored or transferred electronically. It also “operationalizes the protections contained in the Privacy Rule by addressing the technical and non-technical safeguards that organizations called ‘covered entities’ must put in place,” according to a summary by the U.S. Department of Health and Human Services. The Enforcement Rule guides compliance and related investigations.
The Breach Notification Rule “requires HIPAA covered entities and their business associates to provide notification following a breach of unsecured protected health information,” states the agency.
HIPAA applies to the following entities:
HIPAA extends to business associates of covered entities, so contractors or subcontractors must also follow parts of the regulations.
Protected health information includes any data stored in medical records. This includes names, social security numbers, identifiers and serial numbers, telephone numbers, telephone or fax numbers, email addresses, demographic information, medical histories, test results, insurance information, and more. PHI also covers conversations among medical staff about a patient’s care or treatment, information in health insurers’ systems, billing information, and more.
Wellness programs typically do not fall under HIPAA guidelines, and are generally not subject to the same regulations.
If you’re an insurance or pharmaceutical company, hospital or physician’s office, you must ensure the proper procedures are in place to securely manage, store, and transmit PHI data.
The first step is to secure a HIPAA compliant direct mailer. Design Distributors is committed to the ongoing work HIPAA compliance requires, ensuring we have the most up-to-date security measures in place to handle sensitive information. Our data management systems conform to ISO 27001 standards, a management framework that identifies, analyzes, and addresses information risks. Design Distributors also undergoes third-party audits and is SOC 2, Type 2 certified with HITRUST mapping.
Once you’ve hired a secure direct mailer with the necessary certifications and protocols in place, take proactive steps with your mail campaign to ensure its data won’t be compromised.
When designing your mail piece, think about the positioning of the private health information. It’s best to utilize letter packages or self-mailers instead of postcards, to eliminate risk of exposure. Make sure this data isn’t visible through an envelope window, keeping in mind a letter may jostle around. You may want to avoid this altogether by using a closed face envelope. Ensure this and the outer section of a self-mailer are devoid of personal data related to a specific illness or condition.