Two printing companies settled with New Jersey over an incident that exposed protected medical and client information. Under the state HIPAA settlement, Command Marketing Innovations, LLC (CMI) and Strategic Content Imaging, LLC (SCI) agreed to pay a $130,000 fine and implement more robust security policies.
Why Were They Fined?
The incident that led up to the state HIPAA settlement occurred when the two printing and mailing companies, contracted by a healthcare organization, accidentally exposed the protected health information (PHI) of 55,715 when the companies failed to detect a printing error. As a result of the printing error, explanation of benefit summaries were mailed to the wrong recipients, including claims numbers, dates of service, provider and facility names, and the descriptions of services.
“Companies that handle sensitive personal and health information have a duty to protect patient privacy,” said Acting Attorney General of New Jersey Andrew J. Bruck. “Inadequate protective measures is unacceptable, and we will hold companies accountable if they bypass our laws, cut corners, and put privacy and security at risk.”
The companies agreed to pay $130,000 to settle allegations that the companies violated the New Jersey Consumer Fraud Act (CFA) and the Health Insurance Portability and Accountability Act (HIPAA).
Specifically, the companies allegedly violated HIPAA by:
- Failing to ensure the confidentiality of PHI
- Failing to protect against a reasonably anticipated unauthorized disclosure of PHI
- Failing to review and modify security measures as necessary to ensure reasonable and appropriate protection of PHI
Under the state HIPAA settlement, the companies must also implement advanced security measures to prevent similar incidents from occurring in the future, including:
- Implementing and maintaining a comprehensive security information program and event management tool to identify and track potential vulnerabilities and threats
- Appointing one employee for each company as its Chief Information Security Officer with the background and expertise in information security appropriate to implement, maintain, and monitor the information security program
- Appointing one employee for each company as a Chief Privacy Officer with documentation of their background and expertise in HIPAA compliance
- Subscribing to a personalized security awareness and anti-phishing training program and using the program to train their employees
- Obtaining approval from clients that keep or transmit health information before executing any material changes to their printing process
“Our commitment is to ensure that anyone who handles protected information properly safeguards that information,” said Division of Consumer Affairs Acting Director Sean P. Neafsey. “We are pleased CMI and SCI have agreed to implement new practices to protect consumers’ information.”