Every problem is an opportunity.

The conventional wisdom concerning HIPAA -- the Health Insurance Portability and Accountability Act -- is that the new Federal rule is an obligation targeted exclusively at health care related firms, and that non-compliance can bring swift and severe punishment.

The reality, however, is much different. Compliance with the requirements of HIPAA also presents an opportunity for all firms -- regardless of their industry or size -- to differentiate themselves on the basis of integrity and privacy, and use customer messaging to create a powerful competitive advantage and help grow the business.

Indeed, the leaders and innovators in the customer messaging industry are already doing exactly that.

To be sure, HIPAA is targeted at firms in the health care and insurance industries, and its scope and requirements are comprehensive as well. In a nutshell, HIPAA was enacted in response to complaints from consumers who were being denied or had great difficulty obtaining health care insurance when changing jobs or legal status, such as a divorce, due to pre-existing medical conditions.

HIPAA Opportunity
Originally, the intent of the law was to assure the easy portability of health care data so insurance coverage could be more quickly and easily provided to anyone with a status change. In essence, it was intended to restrict the ability of health care insurers to reject an individual for insurance coverage based on pre-existing medical conditions.

As such, the initial focus of the Act was on data in digital form - on creating a common database with a standard set of communications protocols and codes which would facilitate the exchange of health care data electronically -- i.e., Electronic Data Interchange (EDI).

For managers of data centers in firms that needed to comply with HIPAA, the challenge was hardly overwhelming. For example, at each step in data processing they needed to:

• Assure that access to the data is authorized
• Confirm that the routing is correct
• Assure that the content is accurate
• Document the process
• Account for the data.

For the vast majority of modern firms, these steps were already underway or they could be accomplished very quickly. These are the same actions that print/mail finishing managers will have to take, which we'll discuss later.

Privacy and Security
However, the focus of HIPAA was broadened considerably when public concern about the privacy of health care data overtook the issues related to the security and interchangeability of digital data and the Act's definition of Protected Health Care Data was altered.

As initially proposed, the definition was "any identifiable health information that is, or has been electronically transmitted or maintained by a covered entity."

But as finally adopted, the definition was broadened to include "any individually identifiable health information in any form ... that is held or transmitted by a covered entity."

This simple change shifted the focus of HIPAA away from data in 'bits and bytes' form exclusively and now encompassed data in all its forms, including the physical 'pages and piles' format involved in downstream processing and ultimately received by consumers. And that change placed managers of the customer messaging function squarely in the center of the action.

For most businesses, complying with the original 'digital' requirements of HIPAA was relatively easy. After all, virtually every business already maintains a secure data center. Procedures for limiting access to data, such as secure servers, fire walls and pin numbers have been around for years.

Plus, firms are already in compliance with stringent government rules concerning the security and accuracy of data, such as those issued by the SEC and other state and Federal regulators. So businesses are fully adept at assuring the security of customer and business data in electronic form, and they have been for years.

But the need to extend that same level of data security and privacy to the print/mail finishing center -- and possibly even to individual mail pieces throughout the postal mail stream -- caught more than a few firms unprepared. And it has presented the innovators in our industry with an opportunity to differentiate themselves on the basis of quality, superior customer service and mail piece integrity.

After all, there is no doubt that privacy is a top concern of virtually all consumers today. The recent and rapid growth of the Internet and the associated fear of 'electronic snooping' and identity theft has only heightened that concern.

Responding to this growing consumer concern about privacy, proactive businesses are now seizing the opportunity to comply with HIPAA -- not just because it is required by law and to avoid the penalties for non-compliance -- but because it is 'just good business sense' to assure the quality and privacy of customer messages. Indeed, compliance affords these innovators with a dramatic way to 'stand out from the crowd' of lesser firms that have not yet achieved messaging integrity.

In effect, for these innovative firms the acronym HIPAA stands as much for High Integrity Processing and Accountability as it does Health Information Portability and Accountability.

And they are aggressively promoting the fact that they offer the highest level of messaging privacy and confidentiality available as a way to attract customers, build stronger relationships and grow the business. Which, after all, is the fundamental reason the business exists in the first place.

Responding to the Challenge
Although the Act encompasses the health care industry - including providers, such as physicians and hospitals; health care plans, such as insurers; and health care information clearinghouses and related entities known as business associates -- insurers are a primary customer messaging focus. That's because insurers produce the greatest volume of physical documents such as enrollment kits, EOBs, checks, and claim status letters.

So for managers of customer messaging centers that need to comply with HIPAA -- or those who want to use compliance as a step in helping to grow the business -- the primary concern is on complying with the Privacy and Security requirements of the Act. In plain English, these rules:

• Define the type of health care data that is protected by the Act.
• Specify the need to obtain patient consent prior to the use of health care data.
• Outline policies and procedures to ensure the security and accuracy of the data.
• Prohibit both the accidental and intentional unauthorized disclosure of data.
• Outline the need to establish a documented 'Chain of Custody' for the data and documents.
• Set both civil and criminal penalties for non-compliance.

For example, under the provision for Security and Accuracy of Data, the Act requires firms to adopt security policies and procedures - encompassing both physical and technical safeguards -- that prevent any unauthorized disclosure. And it defines unauthorized disclosure as either intentional and fraudulent or unintentional, accidental and even unnecessary.

Another key section of the Act concerns the 'Chain of Custody' of health data or documents. Here the Act permits only the minimum level of access to the data/document that is necessary to carry out approved actions and processes. Plus, the Act stipulates that the firm must document who has had access to the data and for what reason.

Another key section of the Act concerns addressability. Patients may ask health care providers and plans to communicate health information to them by "alternative means" or at "alternative locations." The print/mail finishing center needs to take great care in considering this when employing address hygiene solutions.

Although HIPAA does not mandate any specific solution, technologies that become widely adopted -- such as file-based processing for assured mail piece integrity -- could evolve into de facto industry standards as competitive pressures force other firms to adopt similar strategies. And there is ample evidence that is already happening.

For example, until recently many high volume mailers focused primarily on the print/mail finishing component of customer messaging in isolation.

But there is now a growing awareness of the benefits of managing the entire 'life cycle' of the customer message as an interrelated five-step process that encompasses all the activities related to message creation, production, distribution, receipt and database updating.

As a result, innovative firms, such as the ones employing 'closed-loop' or ADF-style processing and insertion control technologies like Pitney Bowes' Direct Connect for assured mail piece integrity, are well on their way to assuring message privacy, compliance with the Act, and the use of customer messaging as a strategic tool to help grow the business.

Although HIPAA does not mandate any specific solution, technologies that become widely adopted -- such as file-based processing for assured mail piece integrity -- could evolve into de facto industry standards as competitive pressures force other firms to adopt similar strategies.

Still, it bears repeating. At each step in the messaging process: · From updating the customer database,

• To transferring data to applications,
• To manipulating the print stream for value-added processing,
• To composing documents,
• To managing print resources,
• To distributing data and messages electronically,
• To printing and inserting documents
• To sorting completed mail pieces;

HIPAA requires that steps be taken to assure the privacy and accuracy of health care-related data. But good business sense and the growing demands of consumers suggest that the same level of security and protection be afforded to all confidential customer-related data.