“Explanation of Benefit Statements” or “EOBs” are paper or electronic documents that healthcare plan members receive after a healthcare claim is processed. The EOB may include members’ names, member identification numbers, claim numbers, dates of service, limited description of services, service codes, and/or provider/facility names. In other words, an EOB may contain protected health information.
The BAA between Horizon and CMI established CMI’s obligations as a business associate, including CMI’s duty to comply with the HIPAA Security Rule and to implement and use appropriate safeguards to protect the privacy of PHI and ePHI.
The BAA also required CMI to:
- Enter into written agreements with all agents and subcontractors to whom CMI provides PHI, requiring those agents or subcontractors to agree to the same restrictions and conditions with respect to PHI;
- Carry out adequate due diligence on each agent or subcontractor to ensure that it is capable of providing the level of protection required for the PHI and provide evidence of such due diligence to the customer upon request; and
- Remain liable for all acts and/or omissions of the agent or subcontractor.
Later that month, CMI executed a BAA with a subcontractor, SCI. The CMI-SCI services agreement called for SCI to assist CMI in providing fulfillment and printing services to Horizon, specifically the printing of EOBs. SCI agreed, as part of the BAA, to not use or disclose PHI in a manner that would not be permitted under HIPAA; to use appropriate safeguards to prevent the unauthorized use or disclosure of PHI; and to report to CMI any unauthorized use or disclosure of PHI, including any security incidents and breaches of unsecured PHI.
In late October, SCI decided to change its printing process. The change seemed harmless on its face – SCI decided to increase the thickness of the printing paper it used. SCI implemented the change without notifying either the plan or its business associate, CMI. SCI made the change without implementing appropriate HIPAA safeguards called for under the BAA. Due to the lack of/failure of quality control checks, the size change caused the front page of one plan member’s EOB to become associated with the back page of another member’s EOB. SCI’s quality assurance system checked only front pages for error – not back pages. Therefore, SCI mailed out a batch of EOBs to plan members that contained the PHI of a plan member – to another plan member.
In early November, the plan notified SCI of the mistake. The same day, SCI literally stopped the presses, by halting printing of all EOBs. By then, the damage was done. The printing error affected EOB statements mailed for a full 6 days, beginning October 31. Total number of plan members located in New Jersey that were affected: 55,715. The “oops, we goofed” EOBs contained PHI including member identification numbers, claims numbers, dates of service, descriptions of service provided, service codes, as well as provider and facility names. In mid-November, CMI informed the New Jersey state police and affected individuals of the breach.
HIPAA Claims: Privacy Rule and Security Rule Violations
The Attorney General’s Office concluded that each printer violated the Security Rule and Privacy Rule by failing to protect the confidentiality of PHI and ePHI. Specifically, the AG concluded, CMI and SCI violated 45 CFR 164.306(a)(3). That Security Rule provision requires covered entities and business associates to protect against any reasonably anticipated uses or disclosures of PHI that are neither permitted nor required under the Privacy Rule.
In its second HIPAA claim, the AG concluded that each business associate violated 45 CFR 164.306(e), which requires covered entities and business associates to review and modify their Security Rule safeguards as needed to continue providing reasonable and appropriate protection of ePHI.
Rather than face a full-on hearing, CMI and SCI decided to settle with the AG. In the Consent Order (settlement document), each party agrees to a monetary settlement of $130,000, with $65,000 to be suspended so long as CMI and SCI abide by the terms of the Consent Order.