Share this article on:
The New Jersey Attorney General has approved a $130,000 settlement with two printing firms to resolve alleged violations of the Health Insurance Portability and Accountability Act (HIPAA) and the New Jersey Consumer Fraud Act (CFA) that resulted in a breach of the protected health information (PHI) of 55,715 New Jersey residents.
Command Marketing Innovations, LLC (CMI) and Strategic Content Imaging, LLC (SCI) provided services to a leading New Jersey-based managed healthcare organization that involved printing and mailing benefits statements. Between October 31, 2016, and November 2, 2016, a printing error resulted in PHI such as claims numbers, dates of service, provider names, facility names, and descriptions of services being mailed to incorrect recipients.
When printing firms or other vendors provide services to HIPAA-covered entities that require access to PHI, they are required to enter into a business associate agreement with the covered entity and must comply with the requirements of the HIPAA Security Rule. The responsibilities of HIPAA business associates include implementing safeguards to ensure the confidentiality, integrity, and availability of any PHI they are provided with.
The New Jersey Division of Consumer Affairs (DCA) launched an investigation and determined printing processes were changed by SCI in 2016, which resulted in an error being introduced that saw the final page of one member’s statement being added to the first page of another member’s statement. Procedures should have been implemented to check the benefits statements prior to mailing.
The DCA determined impermissible disclosure of PHI was in violation of HIPAA and the CFA. Specifically, the companies violated HIPAA by failing to ensure the confidentiality of PHI, failing to protect against a reasonably anticipated unauthorized disclosure of PHI, and failing to review and modify security measures to ensure reasonable and appropriate protections were in place to ensure the confidentiality of PHI.
The printing firms disputed the findings of the DCA investigation but agreed to a consent order which requires them to change their business practices and implement new safeguards to protect sensitive data.
The consent order requires a comprehensive security information program to be implemented and the use of an event management tool to identify and track potential vulnerabilities and threats to the confidentiality of PHI. Each company is required to appoint an employee as Chief Information Security Officer. That individual must have sufficient expertise in information security to implement, maintain, and monitor the information security program.
An employee with expertise in HIPAA compliance must be appointed as Chief Privacy Officer, a security awareness and anti-phishing training program must be implemented for the workforce, and policies and procedures must be put in place that require approval to be obtained from clients that store or transmit PHI prior to making material changes to printing processes. $65,000 in penalties has been suspended and will not have to be paid if the companies comply with the terms of the consent order.
“Companies that handle sensitive personal and health information have a duty to protect patient privacy,” said Acting Attorney General Bruck. “Inadequate protective measures are unacceptable, and we will hold companies accountable if they bypass our laws, cut corners, and put privacy and security at risk.”
This is the second financial penalty for violations of HIPAA and the CFA to be announced by New Jersey in as many months. In October, Diamond Institute for Infertility and Menopause was fined $495,000 to resolve HIPAA and CFA violations that led to a breach of the PHI of 14,663 New Jersey residents.