Handling address data is such a routine occurrence for health insurance providers that it’s not the first thing that would come to mind as being a liability. However, the reality is that discrepancies and inaccuracies in address data can have far-reaching consequences, posing serious privacy and compliance risks. Healthcare fraud, reputational damage, and financial penalties are just a few examples of the potential hazards.
In this article, we’ll delve into three common types of privacy and compliance risks resulting from incorrect or incomplete address data. Furthermore, we’ll outline effective address management practices that health insurance providers can adopt to mitigate these risks and ensure compliance while safeguarding patient privacy.
You no doubt receive mail at your home address from time to time that’s addressed to someone else. If it looks important, you might write "Return to Sender" on the envelope and send it back, but if it seems like junk mail, you probably just toss it into the recycling bin — no big deal.
But imagine the piece of mail in question is from a health insurance plan notifying a patient of a change in coverage. The patient doesn’t receive the communication and proceeds with an expensive treatment that’s no longer covered. They get the bill and, upset, initiate a lengthy appeals process and accuse the plan of violating federal regulations requiring timely notice of changes in coverage — all because of an incorrect address.
Maybe the patient or an office worker mistyped their address, or perhaps they didn’t update their address when they moved. The address could have been missing a unit number or had a misspelled street name. Whatever the case, the address was inaccurate and the impact real. Address information is a critical part of health data in a world that runs on data, and today it’s expected that data will be consistent, standardized, and secure.
Under HIPAA (the 1996 Health Insurance Portability and Accountability Act), personal health information (PHI) includes any individually identifiable health information that is transmitted or maintained in any form or medium (electronic, oral, or paper) by a covered entity, such as a health insurance plan. Sharing PHI without the authorization of the patient is a violation punishable by a fine or even jail time.
Medical bills and explanations of benefits (EOBs) are considered PHI, and sending them to the wrong address is a direct violation of HIPAA. If misaddressed mail containing healthcare information is unintentionally disclosed, the responsibility lies with the sender — not the recipient.
When it comes to these sensitive communications, it’s vital that the right information goes to the right person — in fact, it can be better not to send it at all than to send it to the wrong address. When a violation happens, a health insurance provider is required to identify where in the process the mistake occurred, contact the patient to explain, and correct and resend the information — a task that involves multiple employees and takes considerable time.
Patients also have the right to report the violation, which can result in an investigation by the Department of Health and Human Services (HHS). Part of that investigation looks at what processes or safeguards are in place to prevent sending PHI to inaccurate addresses — and there will be penalties if you don’t have these in place.
Having address verification tools in place could prevent violations and protect health insurance providers from steep fines if, somehow, they do occur.
It's no secret that every corner of healthcare is highly regulated. Beyond HIPAA violations for disclosing PHI, there are countless other regulations that affect health insurance plans, and inaccurate or incomplete address data can put a health insurance provider in conflict with many of them.
Some rules require health insurance providers to send required notices to members or providers within mandated timelines. For example, a Summary of Benefits and Coverage must be provided within a certain number of days to new applicants, enrollees, or COBRA beneficiaries.
Health insurance providers are also responsible for notifying policyholders of coverage changes, as described in the hypothetical situation above and giving proper notice before terminating coverage. Bad address data can cause cascading problems — if someone isn’t paying their premiums because they aren’t receiving the bill due to an inaccurate address, the health plan could cancel their policy but still run afoul of the requirement to inform them in a timely manner.
As with HIPAA violations, there are penalties for not complying with these regulations. If a health insurance provider doesn’t have a system in place for verifying and maintaining address data, it loses the ability to argue that it made a good-faith effort to comply with all relevant requirements.
In addition to legal consequences, failure to comply and communicate properly with patients has reputational implications. When incorrect or incomplete information causes patients to pay more financially, they also pay more emotionally — and their frustration affects their relationship with the health insurance provider.
Health insurance providers share data with a variety of business partners, including providers, labs, and pharmacies. Incorrect or incomplete address data is like a virus that can spread from one entity to another, putting partners at risk for HIPAA violations or mistakes like shipping prescriptions to the wrong address and interrupting patient treatment.
From a patient's perspective, these mistakes reflect on the health insurance provider, no matter what other entity might be responsible. Partners need to work together to ensure the accuracy of health data, including address data, as it flows throughout the healthcare system.
Documents mailed to bad addresses can also increase the risk of healthcare fraud when the wrong people open letters and misuse the information they find. The financial impact of fraud often comes back on the insurer, so it’s in the interest of health insurance providers to correct addresses not only in their own systems but also those of partners like labs or providers.
Fraud costs the insurance industry billions of dollars each year, but insurers can fight back by keeping their records up to date — including address data.
HIPAA standards cover more than wrongful disclosures of PHI. They also punish failures to perform organization-wide risk analyses and implement risk-management processes. Health insurance companies should conduct regular self-audits of how they protect PHI, and these audits should include the secure handling of address data.
Address verification tools like Smarty can help health insurance providers automatically identify and correct incomplete or inaccurate address data and avoid unintentional privacy and compliance violations. It's also possible to dramatically reduce the number of bad addresses that enter the system in the first place by using autocomplete tools. With the right precautions in place, you can protect your health insurance company — and your policyholders — from a multitude of privacy, compliance, and fraud risks.
Read the other articles in this series, The Silent Risks of Inaccurate Address Data for Health Insurance Providers: