The New Jersey Attorney General has allowed a $130,000 settlement with two printing companies to resolve affirmed violations of the New Jersey Consumer Fraud Act (CFA) and Health Insurance Portability and Accountability Act (HIPAA) that caused a breach of the protected health information (PHI) of 55,715 residents in New Jersey.
Strategic Content Imaging, LLC (SCI) and Command Marketing Innovations, LLC (CMI) offered services that involved printing and sending benefits statements to a prominent managed healthcare company based in New Jersey. Between October 31, 2016, and November 2, 2016, an error in printing resulted in the mailing of PHI to the incorrect recipients. The PHI included dates of service, claims numbers, provider names, names of the facility, and descriptions of services.
When printing companies or other vendors offer services to HIPAA-covered entities that need access to PHI, they have to sign a business associate agreement with the HIPAA-covered entity and need to adhere to the specifications of the HIPAA Security Guideline. The duties of HIPAA business associates consist of employing protective measures to assure the integrity, confidentiality, and availability of any PHI they access.
The New Jersey Division of Consumer Affairs (DCA) initiated an investigation and confirmed printing procedures were altered by SCI in 2016, which led to the introduction of an error so that the final page of one member’s statement was added to the first page of another member’s statement. Processes should have been done to check the benefits statements prior to delivering.
The DCA stated that the impermissible disclosure of PHI violated the HIPAA and the CFA. Particularly, the firms violated HIPAA by not being able to secure the confidentiality of PHI, not being able to secure against an unauthorized disclosure of PHI, and failing to evaluate and adjust security measures to make sure reasonable and proper protections were set up to guarantee the confidentiality of PHI.
The printing businesses debated the decisions of the DCA yet opted for a consent order which calls for the changing of their business procedures and applying new security measures to keep sensitive data safe.
The consent order calls for a thorough security information program to be carried out and the use of an event management program to identify and check possible vulnerabilities and risks to the privacy of PHI. Every firm needs to designate staff as Chief Information Security Officer. That person ought to have enough expertise in information security to implement, maintain, and keep track of the information security program.
A worker with competence in HIPAA compliance should be designated as Chief Privacy Officer, security awareness and anti-phishing training programs need to be executed for the employees, and policies and processes should be set up that involve authorization from clients that keep or transfer PHI before creating material adjustments to printing procedures. The $65,000 fine has been revoked and will not have to be paid if the businesses follow the conditions of the consent order.
Acting Attorney General Bruck states that firms that handle sensitive personal and medical data have a responsibility to safeguard patient privacy. Inadequate safety measures are not acceptable, and firms will be held accountable when they get around our regulations and put privacy and security at stake.
This is the second financial penalty announced by New Jersey in relation to violations of HIPAA and the CFA in many months. In October, Diamond Institute for Infertility and Menopause was penalized $495,000 to take care of HIPAA and CFA violations that caused a compromise of the PHI of 14,663 locals in New Jersey.