New Jersey has fined two printing companies $130,000 over an impermissible disclosure of the protected health information (PHI) of almost 56,000 New Jersey residents in 2016.
The fine is part of a settlement reached between Acting Attorney General Andrew J. Bruck and printing firms Command Marketing Innovations, LLC (CMI) and Strategic Content Imaging, LLC (SCI) to resolve alleged violations of the Health Insurance Portability and Accountability Act (HIPAA) and the New Jersey Consumer Fraud Act (CFA).
The Office of the Attorney General was notified about a breach of the protected health information (PHI) of 55,715 New Jersey residents, which triggered an investigation by the New Jersey Division of Consumer Affairs (DCA) to determine whether state and/or federal regulations had been violated.
The breach in question was an impermissible disclosure incident that saw the PHI of New Jersey residents mailed to other individuals as a result of a printing error. CMI and SCI provided printing and mailing services to a leading New Jersey-based managed healthcare organization that included printing and mailing explanation of benefits statements.
Between October 31, 2016, and November 2, 2016, a printing error occurred that resulted in the final page of one individual’s benefit statement being added to the first page of the statement for another individual. The final page of the statement included claim numbers, dates of service, provider names, facility names, and descriptions of services.
Under state and federal laws, business associates of HIPAA-covered entities are required to implement safeguards to ensure the confidentiality of personal and protected health information. Had those safeguards been implemented, the printing error would have been identified before any benefits statements were mailed.
The DCA investigation revealed an error had been introduced when SCI changed its printing process in 2016. Quality assurance systems at both SCI and CMI failed to spot the error, which resulted in an impermissible disclosure of PHI. Specifically, the DCA investigation revealed three violations of the HIPAA Rules:
- A failure to ensure the confidentiality of PHI
- A failure to protect against a reasonably anticipated unauthorized disclosure of PHI
- A failure to review and modify security measures, as necessary, to ensure reasonable and appropriate protection of PHI.
The findings of the DCA investigation were disputed by SCI and CMI; however, both firms agreed to a consent order that requires them to change their business practices and implement additional safeguards to identify vulnerabilities and threats to PHI and better protect sensitive information. $65,000 of the financial penalty was suspended from the settlement amount but will be payable if the companies do not comply with the terms of the consent order.
The consent order requires each company to:
- Implement and maintain a comprehensive information security program and event management tool to track vulnerabilities and threats to PHI
- Subscribe to a personalized security awareness and anti-phishing training program and provide training to the workforce
- Obtain approval from clients before making any material changes to printing processes
- Appoint an employee as Chief Privacy Officer to oversee the compliance program, with that individual required to have a background and experience in HIPAA compliance
- Appoint an employee as Chief Information Security Officer, with that individual required to have a background in information security, appropriate to implementing, maintaining, and updating the information security program
“Companies that handle sensitive personal and health information have a duty to protect patient privacy,” said Acting Attorney General Bruck. “Inadequate protective measures is unacceptable, and we will hold companies accountable if they bypass our laws, cut corners, and put privacy and security at risk.”
