The Archive

Compliance and Risk Management as a Case for Outsourcing High-Security Mail Fulfillment



Many small to medium businesses (SMBs) produce their high-security Protected Health Information (PHI) or Non-Public Private Information (NPI) mailings in-house. Perhaps it’s a lack of communication service providers (CSPs) willing to accept smaller mailing contracts. Or, maybe it’s the misperception that it’s less expensive or more secure to do it in-house. 


We’ve shown previously that outsourcing can bring significant economic benefits. It also has the added benefit of enhancing privacy, security, and compliance when partnered with the correct outsourcing partner. In this paper, we will examine the case of a real medical franchise company (who we’ll call MFC) to illustrate this point. 


Subject Company:

With dozens of clinics in the Southeastern US, MFC equipped and staffed their mail production facility requiring one full-time employee, printing and mailing equipment, and specialized software to facilitate the production process. The software was resident on their local computer and only controlled the printer – a very common setup for most captive mail processing units. 


Live Example:

One of the mailings MFC routinely produced was a letter to comply with Florida Statute 456.058, F.S. governing the Medical Records of Physicians Relocating or Terminating Practice. This Statute, like other similar statutes in a majority of states, makes it a punishable offense to fail to notify affected patients of the termination or relocation of a physician’s practice. In a multilocation business like MFC, this is a fairly common occurrence. When the Rule was first written, four consecutive newspaper classified ad placements were deemed sufficient to meet this requirement. With the virtual demise of newspapers and the propagation of litigation attorneys, this remedy is no longer sufficient. 


After paying out on a small number of nuisance lawsuits based on non-notification of physician relocations, MFC came to us (Mailtropolis LLC) in search of a better method of notifying affected patients, one that included proof of notification. The result of this effort was a 6×9 postcard, addressed to the patient, telling them of the departure of their physician, and informing them of other physicians in the practice to whom they could transfer. The card also included a QR code link to the Physician Staff page on their local website, as well as an appointment reminder, informing them approximately how long it had been since their last visit, and that they should consider making an appointment to meet their new doctor and be seen in a timely fashion. The card was processed through our Quadient Impress™ high-security document fulfillment center, so we were able to report proof of production, proof of content, and even evidence of delivery. From that point forward, MFC has successfully defended several lawsuits claiming non-notification of physician relocations. As a side benefit, the cost to produce and mail a 6×9 postcard was less than sending a letter in an envelope. The crowning benefit was the 18% response rate to the card in the form of cold patient appointments the notification generated. Less expensive, fewer adverse outcomes, and increased revenue. Not bad for a day’s work.


Compliance and Risk Management:

We’ve discussed how outsourcing can provide resources not otherwise available internally.. Outsourcing can also create economic benefits and create opportunities for your business. However, even though you can outsource business processes like high-security mail, you can never outsource your responsibility or liability. Especially in the medical “industry,” where Business Associate Agreements are the norm (at least with credible outsource service providers). Your choice of outsourcing partner can create risk along with additional legal and financial vulnerability.


Electronic transmission of PHI and NPI has become more popular with healthcare providers due to the perception that there is a cost advantage (though there is literature2 that disputes this assumption). The real issue has become security. Hackers have become far more efficacious in their efforts, and data breaches are the number one HIPAA violation when you review HHS data. The Postmaster at a regional Business Mail Entry Unit we spoke with recently concerning the security of printed data transmission simply said: “Have you ever heard of the post office being hacked?”


Health and Human Services and the Office of Civil Rights have announced several new HIPAA privacy regulations to be released in 2022. Patients will have expanded access to their own PHI, creating transmission security issues and increasing the vulnerability to hacks. They have announced a focus on “Intent,” noting that the sophistication of your data security and physical fulfillment initiatives are going to impact fines and punishments. Choosing the best alternatives for high-security mail fulfillment has just become an even smarter choice for your organization.


Choose Your Outsourced Partner Carefully: 

In the case of high-security mail fulfillment, there are three tiers of service providers that provide differing levels of compliance and risk.


Tier 3 includes 95% of all professional Mail Service Providers (MSPs). They have automated mail production equipment and some degree of data security, but they have no way of documenting the content, production, mailing, or delivery of every mail piece. They are the lowest “cost,” but highest risk outsource service providers. Very few Tier 3 service providers operate with Business Associate Agreements (BAAs).


Tier 2 includes the next level of security and roughly 4% of all MSPs. Members of this group typically have more sophisticated equipment and can document the final delivery of your mail pieces. Unfortunately, they are unable to provide proof of content or production of the mailpieces in a job. The services of members in this tier are typically a bit more “expensive,” but provide lower risk than that of Tier 3 MSPs. Some of the service providers in this tier operate with BAAs, but most don’t.


Tier 1 are communication service providers (CSPs) that have built their business around providing the highest level production and data security and providing documentation of their results. Members of this group can provide proof of content, proof of production, and proof of mailing and delivery. Their processes and facilities are designed for high-security document fulfillment. They can prove compliance, and will only operate under a BAA. Members of this group are at the lowest risk of any MSP.


Mandatory Business Associate Agreements:

HIPAA privacy rules apply to covered entities: health plans, healthcare clearinghouses, and healthcare providers. Outside businesses perform functions and activities for covered entities that necessitate access to PHI – these businesses are known as “business associates.” HIPAA allows covered entities to disclose PHI to business associates for the performance of these functions and activities “only if the providers obtain satisfactory assurances that the business associate will use the information only for the purposes for which it was engaged by the covered entity, will safeguard the information from misuse, and will help the covered entity comply with some of the covered entity’s duties under the Privacy Rule. Covered entities may disclose protected health information to an entity in its role as a business associate only to help the covered entity carry out its health care functions – not for the business associate’s independent use or purposes, except as needed for the proper management and administration of the business associate. These assurances must be in writing, whether in the form of a contract or other agreement between the covered entity and the business associate.” 1



Outsourcing high-security document fulfillment to a Tier 1 MSP under the terms of a BAA, provides the lowest level of risk and ensures compliance with state and national laws covering PHI.


  2. “The Pace of Digital Evolution: Quadient Corporation / Coleman Parkes Research (