Bad Addresses: A Costly Risk for Healthcare Mailers

Misaddressed mail with sensitive medical data can lead to HIPAA violations and costly fines.

5 minute read

We can all agree that medical and other health information is private and should be protected. Patients have the right to know who has access to their information. That’s why the Privacy Rule exists.

The federal law gives people rights over their health information, and it sets rules and limits on who can look at and receive that data. “The Privacy Rule applies to all forms of individuals’ protected health information, whether electronic, written or oral,” explains the Health Insurance Portability and Accountability Act of 1996 (HIPAA) website.

Privacy concerns apply to digital data and also to the print medium. Despite efforts by the USPS to reduce undeliverable mail, it still costs the postal service some $1.5 billion annually to handle mail that can’t be delivered as addressed, so we know that accurate postal addressing can sometimes be challenging. Inaccurate or out-of-date postal addresses can be a headache for any organization but, in the healthcare field, the consequences of mis-delivering mail to the wrong address are even worse. Private health information sent through the mail to unauthorized persons violates HIPAA laws.

With the prominence of mental-health awareness in the United States, the Department of Health & Human Services last fall recommended revising its confidentiality protections. Proposed changes could address concerns that discrimination and fear of persecution deter people from entering treatment for substance-abuse disorders. If sensitive patient mental health information is contained in a letter mailed to the wrong address and (by accident) lands in someone else’s hands, the damage could be harmful to the intended recipient.

Mis-Addressed Mail Happens

If you’ve moved recently, you know this can happen, and how frustrating it can be. Nearly six in 10 people regularly receive mail addressed to previous residents, reports MyMove LLC. Although opening and reading such mail is unlawful, senders can’t control mail recipient actions. This can cause problems, even if the mail is opened by mistake. Once medical mail containing PII is mis-addressed, the damage is done.

With healthcare documents, poor address quality and financial risks are connected. When the federal government gets involved, compliance is important. HIPAA falls under the jurisdiction of the U.S. Department of Health and Human Services (HHS), which also maintains an Office for Civil Rights (OCR). According to HHS, anyone can file a health information privacy or security complaint. The OCR reviews complaints and may open an investigation.

What’s at Risk

How “clean” is your mailing-address data, and how big is your list? If a breach of unsecured protected health information affects 500 or more individuals, a covered entity must notify the HHS secretary of the breach “without unreasonable delay and in no case later than 60 calendar days from the discovery of the breach.”

“Financial penalties are intended to act as a deterrent to prevent the violation of laws,” notes HIPAA, “while also ensuring covered entities are held accountable for their actions, or lack of them, when it comes to protecting the privacy of patients and the confidentiality of health data . . . .”

For the past 10 years, penalties for HIPAA violations have applied to healthcare providers, health plans, healthcare clearinghouses and all other covered entities, as well as to business associates of covered entities. HIPAA considers print and mail service providers as business associates and holds them to the same standards as clinics, insurers, and hospitals.

“Ignorance of HIPAA rules is no excuse for failing to comply,” stresses an HHS spokesperson. “It is the responsibility of each covered entity to ensure that HIPAA rules are understood and followed. When a covered entity is discovered to [have] committed a willful violation of HIPAA laws, the maximum fines may apply.”

But what if you’ve made an innocent, “Tier 1” mistake? HIPAA doesn’t care that violations may be unintentional. “A violation occurs when a HIPAA-covered entity, or a business associate, fails to comply with one or more of the provisions of the HIPAA Privacy, Security or Breach Notification Rules.” Many financial penalties result from negligence, such as failing to perform organization-wide risk assessments. Even minimum fines can cost firms $100 per violation, up to $50,000.

A Tier 1 offense is a violation of which the covered entity was unaware and could not have realistically avoided.

Tier 2 violations are those instances that the covered entity should have been aware of but could not have avoided, even with a reasonable amount of care. (Source: HHS and HIPAA)

Tier 2 offenses carry a minimum fine of $1,000 per violation, up to $50,000. Tier 3 and 4 violations involve cases of deliberate, “willful neglect,” for which fines are much steeper.

HIPAA Penalties Assessed

How large of a penalty can you afford? The OCR can fine organizations up to a maximum level of $25,000 per violation category, per calendar year, according to the HIPAA Journal (March 2023). The minimum fine applicable is $100 per violation. HIPAA settlements in 2022 ranged from $20,000 to $875,000 across the United States, from Oklahoma to Massachusetts and Florida. Excellus Health Plan (New York) paid out a $5-million settlement in 2021.

After a record-breaking year of fines and settlements, the Office of Civil Rights (OCR) is expected to continue aggressive enforcement of HIPAA compliance under new OCR Director Melanie Fontes Rainer. Since 2019, OCR has continued to crack down on violations of the HIPAA Right of Access, which provides individuals with easy access to their health information and empowers them to be more in control of decisions regarding their health and well-being. Enforcement of the non-disclosure aspects of HIPAA is sure to be continued, as well.

OCR investigations triggered by a complaint can uncover other, inadvertent violations, such as lack of a documented HIPAA risk analysis or storing unencrypted data. These deficiencies, even if they did not contribute to HIPAA violations, can cause the OCR to demand remedial actions and ongoing audits that disrupt operations and affect profitability. They can also cause violations to move into the “willful neglect” category of heftier fines. Avoiding HIPAA complications caused by bad addresses is a worthy goal.

Scrub mailing lists to make them as up to date as possible. Ensure you have corrected all addresses on file and updated information for patients who have moved. Addressing software from Firstlogic like Address IQ® will enhance data quality and get healthcare-related mail on the right path to avoiding potentially costly fines–and getting medical mail into the right patients’ mailboxes.