The New Jersey Attorney General has permitted a $130,000 settlement deal with two printing organizations to resolve supposed New Jersey Consumer Fraud Act (CFA) and Health Insurance Portability and Accountability Act (HIPAA) violations that led to a compromise of the protected health information (PHI) of 55,715 residents in New Jersey.
Strategic Content Imaging, LLC (SCI) and Command Marketing Innovations, LLC (CMI) delivered services that involved printing and delivering benefits statements to a top-rated managed healthcare business based in New Jersey. From October 31, 2016, to November 2, 2016, a failure in printing led to the mailing of PHI to the wrong recipients. The PHI included dates of service, provider names, claims numbers, names of the facility, and details of services.
When printing businesses or other vendors deliver services to HIPAA-covered entities that involve PHI access, they need to get into a business associate agreement with the HIPAA-covered entity and should follow the prerequisites of the HIPAA Security Law. The obligations of HIPAA business associates involve using safety measures to guarantee the integrity, availability, and confidentiality of any PHI they get access to.
The New Jersey Division of Consumer Affairs (DCA) started an investigation and discovered printing systems were modified by SCI in 2016, which caused the introduction of the fault so that the last page of one member’s statement was put in the number one page of another member’s statement. Operations ought to have been executed to validate the benefits statements prior to sending.
The DCA declared that the impermissible disclosure of PHI breached the CFA and the HIPAA. Especially, the providers violated HIPAA by screwing up to protect the confidentiality of PHI, not being able to safeguard against a practically expected unauthorized disclosure of PHI, and being unable to assess and improve security measures to make certain reasonable and best-suited protections were available to make sure the confidentiality of PHI.
The printing companies questioned the conclusions of the DCA nevertheless accepted a consent order which necessitates the modifying of their business methods and employing new safety measures to keep sensitive information protected.
The consent order entails a detailed security information program to be put in place and the usage of event management software to determine and monitor prospective vulnerabilities and dangers to the privacy of PHI. Each and every business must appoint someone as Chief Information Security Officer. That particular person should have ample expertise in information security to carry out, maintain, and keep an eye on the information security program.
A person having proficiency in HIPAA compliance should be assigned as Chief Privacy Officer. Security awareness and anti-phishing training program needs to be put in place for the labor force. Policies and procedures ought to be integrated that need consent from clients that hold or send PHI before doing material modifications to printing operations. The $65,000 penalty was suspended and need not be paid if the businesses stick to the stipulations of the consent order.
Acting Attorney General Bruck says that organizations that access sensitive personal and health data have an obligation to secure patient privacy. Insufficient security measures are unacceptable, and firms will be held responsible in case they circumvent our rules, and endanger privacy and security.
This is the number 2 financial penalty reported by New Jersey with regards to violations of the CFA and HIPAA in several months. In October, Diamond Institute for Infertility and Menopause paid $495,000 to settle HIPAA and CFA violations that resulted in an exposure of the PHI of 14,663 locals in New Jersey.