The Archive

Communicating Protected Health Information

Doing it Right and Why That’s Important

In 1996, the US Department of Health and Human Services (HHS) created the Health Insurance Portability and Accountability Act (HIPAA) to: “amend the Internal Revenue Code of 1986 to improve portability and continuity of health insurance coverage in the group and individual markets… and for other purposes.” In 2013, HHS released an updated version, The Omnibus Rule to include privacy, security, enforcement, and breach notifications. In 2020 HHS and the Office of Civil Rights (OCR) released an additional rule change, modernizing the act as it existed to make it more patient-centric.


HIPAA is a beast, and compliance is complicated Communicating Protected Health Information (PHI) following the rules and regulations created by HIPAA can be a minefield, and requires knowledge and education, not to mention a lot of expensive hardware, software, and certifications, to do correctly. In this paper, we will provide a brief overview comparing “doing it right” versus some common practices, and the potential ramifications of “getting caught.”


Digital versus Analog

Digital communication has seen increasing popularity for the past 40 years. Some digiphiles have gone so far as to pronounce the demise of analog-written – communication altogether. Of course, this is an exaggeration, but digital communication is relatively inexpensive, convenient, and provides instant gratification – an increasingly important factor in the global economy. When considering the transmittal of PHI, digital communications, employing secure portals, cloud servers, and encryption, has grown in popularity as well, though there is a drawback that isn’t often advertised by those digital providers: security. 


Unless you live in a vacuum, you’ve seen reports of hackers stealing PHI and other forms of Non–public and Private Information, or NPI, (primarily financial) as well as cyber attacks on everything from airports to hospitals, and the pentagon to financial institutions. Hacking has become an industry and PHI is not immune. 


One of the additions to HIPAA outlined rules for reporting breaches, or unauthorized dissemination of PHI, for any incident with records numbering more than 500. In the first six months of 2022, there were 313 reportable data breaches affecting over 20 Million records. Of these, 256 were cited as hacking, 15 were from loss or theft, and 42 were from unauthorized access. When you do the Analog versus Digital analysis, only 21 of the 313 breaches, affecting less than 1% of the 20 Million records breached were from paper sources. I guess it’s a bit more complicated trying to hack the US Mail.


Direct Mail Distribution of PHI

If done correctly, direct mail fulfillment of PHI is the best documented and secure channel available. IF it’s done correctly! There are three tiers of mail service providers (MSP) available for contract mail fulfillment. Tier 3 MSPs, comprising 95% of the market, are primarily purveyors of marketing mail. They may claim to be “HIPAA Compliant,” but it’s a hollow claim. They can process simple jobs, but lack the documentation and controls that HIPAA requires. Tier 2 MSPs comprise about 4% of the market. They have computer-controlled equipment and more advanced printing and processing capabilities, but again, claims of HIPAA compliance are unsubstantial. The top 1% of mail service providers are truly capable of providing the security, sophisticated data processing, and advanced manufacturing techniques required to comply with HIPAA regulations for communicating PHI. The following chart will provide a checklist for determining if your MSP is a Tier 1 supplier.


  1. Does your MSP require a business associates agreement (BAA)? If not, they are not following mandatory rules set forth by Health and Human Services (HHS), the department responsible for HIPAA.
  2. Does your MSP provide an encrypted portal for communicating data and art?
  3. Can your MSP provide documentation providing proof of production and content?
  4. Can your MSP provide documentation providing proof of mailing?
  5. Can your MSP provide documentation providing proof of delivery of your PHI mailing?


If the answer to any of these questions is “no,” you should reconsider who you are using for high-security document fulfillment. 


Penalties for Breaches

As a covered entity, it is your responsibility to know HIPAA regulations and how they apply to you and your practice/business. Ignorance is not an excuse. Not knowing that what you’re doing is in violation, will not prevent you from stiff fines, public disclosure, or continuous audits. Some breaches can even be criminal, requiring jail time. Intentional violations such as theft of patient information and the disclosure of PHI with the intent to do harm are both examples of criminal violations.


In most cases, the Office for Civil Rights (OCR) under the Department of Health and Human Services (HHS) handles penalties and violations. OCR tends to resolve violations without levying out fines. Options include voluntary compliance and remediation – making sure the issue doesn’t happen again. OCR may also issue technical guidance if the violation came from an accidental data breach or something similar. With less serious accidental violations, OCR may even decide to waive the fine. OCR does issue fines in chronic cases. They will use your past history and the impact of the violation to set fines or determine if you will get jail time.

Employers get involved in the penalty phase as well. Small violations and first-time offenses typically draw retraining. Repeat or serious offenses may draw termination of employment. Employer interventions are seen favorably by the OCR.

State judiciaries may also get involved, issuing fines of $100 to $25,000 per violation. And if the violation affects multiple states, multiple state attorneys may also be involved.

Violations and their resulting penalties fall into four basic categories or tiers.

Tier 1 violations consist of smaller-scale accidental breaches. The covered entity may not have even known of the violation or have been able to do anything to prevent it. Violations can range from as little as $100 to as high as $50,000 per violation. To be Tier 1, the covered entity has to be following rules and regulations when the breach occurs. 

Tier 2 violations occur when a covered entity should have known of the violation, its cause, and attempted to remediate the situation, albeit unsuccessfully. Penalties for HIPAA violations in this category range from $1,000 to $50,000 per violation. 

Tier 3 violations are issued when they occur as a result of willful neglect of HIPAA rules, but attempts were made correct the issue. The penalty for Tier 3 violations ranges from $10,000 to $50,000 per violation depending on the level of harm.

Tier 4 violations are issued when you display willful neglect leading to a breach and do nothing to try to correct the issue. Continuously leaving patient records out or not logging out of electronic records are examples of Tier 4 violations. Needless to say, this is the most serious type of HIPAA violation, so it has the biggest penalty. Each violation will face a minimum fine of $50,000. While other types may qualify for a waiver, these violations do not. Some of these violations may also result in jail time.

It must be noted that in addition to the fines and potential jail time mentioned above, there are always requirements for public disclosure and years of annual audits by HHS.

If you have questions about direct mail fulfillment of PHI, please check us out by going to or call us at 407.305.2474.