HIPAA claims

In November of 2021, the New Jersey State Attorney General’s (AG) Office, Division of Consumer Affairs, settled 2 HIPAA claims, one HIPAA claim against Command Marketing Innovations (CMI), and another HIPAA claim against CMI’s business associate, Strategic Content Imaging, LLC (SCI). This $130,000 resolution settled each company’s potential HIPAA Security Rule and Privacy Rule violations. The printing companies were drummed into New Jersey court for having failed to implement adequate HIPAA safeguards, which failure resulted in a massive data breach. 

Background: Attorneys General Have HITECH Power Over HIPAA CEs and BAs

The Health Information Technology for Clinical and Economic Health (HITECH) Act, part of the American Recovery and Reinvestment Act of 2009, gave State Attorneys General the authority to bring civil actions on behalf of state residents for violations of the HIPAA Privacy and Security Rules. The Attorneys General, in such cases, are authorized to seek penalties in the form of money damages. The Attorneys General can also impose corrective action plans on entities with whom they settle. In recent years, state attorneys general have not hesitated to avail themselves of this authority.  

If It’s Broke, Don’t Print It

The New Jersey Attorney General’s Office brought a HIPAA claim against Command Marketing Innovations (CMI), and another HIPAA claim against CMI’s business associate, Strategic Content Imaging, LLC (SCI). The HIPAA claims arose from a 2016 data breach.

Do you have an effective HIPAA compliance program? Find out now by completing the HIPAA compliance checklist.

CMI is a Garfield, New Jersey-based company that provides print and marketing solutions to its clients. SMI, based in Secaucus, New Jersey, provides digital print, finishing, and fulfillment services to businesses. Both entities are HIPAA business associates. In September of 2016, CMI and a customer –  Horizon, a New Jersey-based managed healthcare organization (MCO) – entered into a business associate agreement (BAA) for CMI to provide mailing, fulfillment, and printing services to the healthcare organization, including the printing and mailing of Explanation of Benefits (EOB) statements for Horizon’s members.

Let’s Simplify Compliance

Are you a printing and mailing business that needs help with HIPAA? Compliancy Group can help!

Learn More!
HIPAA Seal of Compliance

“Explanation of Benefit Statements” or “EOBs” are paper or electronic documents that healthcare plan members receive after a healthcare claim is processed. The EOB may include members’ names, member identification numbers, claim numbers, dates of service, limited description of services, service codes, and/or provider/facility names. In other words, an EOB may contain protected health information.

The BAA between Horizon and CMI established CMI’s obligations as a business associate, including CMI’s duty to comply with the HIPAA Security Rule and to implement and use appropriate safeguards to protect the privacy of PHI and ePHI.

The BAA also required CMI to:

  • Enter into written agreements with all agents and subcontractors to whom CMI provides PHI, requiring those agents or subcontractors to agree to the same restrictions and conditions with respect to PHI;
  • Carry out adequate due diligence on each agent or subcontractor to ensure that it is capable of providing the level of protection required for the PHI and provide evidence of such due diligence to the customer upon request; and
  • Remain liable for all acts and/or omissions of the agent or subcontractor.

Later that month, CMI executed a BAA with a subcontractor, SCI. The CMI-SCI services agreement called for SCI to assist CMI in providing fulfillment and printing services to Horizon, specifically the printing of EOBs. SCI agreed, as part of the BAA, to not use or disclose PHI in a manner that would not be permitted under HIPAA; to use appropriate safeguards to prevent the unauthorized use or disclosure of PHI; and to report to CMI any unauthorized use or disclosure of PHI, including any security incidents and breaches of unsecured PHI.

In late October, SCI decided to change its printing process. The change seemed harmless on its face – SCI decided to increase the thickness of the printing paper it used. SCI implemented the change without notifying either the plan or its business associate, CMI. SCI made the change without implementing appropriate HIPAA safeguards called for under the BAA. Due to the lack of/failure of quality control checks, the size change caused the front page of one plan member’s EOB to become associated with the back page of another member’s EOB. SCI’s quality assurance system checked only front pages for error – not back pages. Therefore, SCI mailed out a batch of EOBs to plan members that contained the PHI of a plan member – to another plan member. 

In early November, the plan notified SCI of the mistake. The same day, SCI literally stopped the presses, by halting printing of all EOBs. By then, the damage was done. The printing error affected EOB statements mailed for a full 6 days, beginning October 31. Total number of plan members located in New Jersey that were affected: 55,715. The “oops, we goofed” EOBs contained PHI including member identification numbers, claims numbers, dates of service, descriptions of service provided, service codes, as well as provider and facility names. In mid-November, CMI informed the New Jersey state police and affected individuals of the breach.

HIPAA Claims: Privacy Rule and Security Rule Violations

The Attorney General’s Office concluded that each printer violated the Security Rule and Privacy Rule by failing to protect the confidentiality of PHI and ePHI. Specifically, the AG concluded, CMI and SCI violated 45 CFR 164.306(a)(3). That Security Rule provision requires covered entities and business associates to protect against any reasonably anticipated uses or disclosures of PHI that are neither permitted nor required under the Privacy Rule. 

In its second HIPAA claim, the AG concluded that each business associate violated 45 CFR 164.306(e), which requires covered entities and business associates to review and modify their Security Rule safeguards as needed to continue providing reasonable and appropriate protection of ePHI.  

Rather than face a full-on hearing, CMI and SCI decided to settle with the AG. In the Consent Order (settlement document), each party agrees to a monetary settlement of $130,000, with $65,000 to be suspended so long as CMI and SCI abide by the terms of the Consent Order.