2 NJ Printing Companies Fined for HIPAA Violations, PHI Exposure

November 16, 2021 - Two New Jersey-based printing companies agreed to pay a fine of $130,000 for potentially committing HIPAA violations and New Jersey Consumer Fraud Act (CFA) violations through protected health information (PHI) exposure, according to an announcement from the Division of Consumer Affairs and Andrew J. Bruck, New Jersey’s acting attorney general.

The companies will also be required to implement new security policies to prevent further PHI exposure.

Command Marketing Innovations and Strategic Content Imaging are both businesses that provide printing and mailing services to a leading managed healthcare organization in New Jersey. The two companies allegedly failed to safeguard the PHI of over 55,500 New Jersey residents.

Both Command Marketing Innovations and Strategic Content Imaging allegedly neglected to detect a printing error that impacted explanation of benefits statements mailed to New Jersey residents between October 31, 2016 and November 2, 2016.

The printing error caused the back page of one member’s statement to be printed on the front page of another member’s statement and led to the improper exposure of claims numbers, provider and facility names, descriptions of medical services, and dates of service.

The companies allegedly violated HIPAA by failing to protect against a reasonably anticipated unauthorized disclosure of PHI contained in explanation of benefits statements, failing to ensure the confidentiality of PHI, and failing to review and modify security measures.

“Companies that handle sensitive personal and health information have a duty to protect patient privacy,” Bruck said in the statement. “Inadequate protective measures are unacceptable, and we will hold companies accountable if they bypass our laws, cut corners, and put privacy and security at risk.”

Both companies dispute the Division of Consumer Affairs’ allegations but agreed to a Consent Order that requires them to implement a comprehensive security information program and event management tool to track security vulnerabilities.

Command Marketing Innovations and Strategic Content Imaging will also be required to appoint one employee for each company as its chief information security officer (CISO) and one employee for each company as a chief privacy officer.

The two businesses also agreed to implement a security awareness and anti-phishing training program and obtain approval from clients that keep or transmit health information before making any alterations to their printing processes.

If they follow the terms of the Consent Order, $65,000 will be deducted from the settlement amount.

Under HIPAA, business associates who interact with protected health information are required to sign a business associate agreement (BAA) with healthcare organizations.

The BAA ensures that the third-party vendors follow the same security and privacy measures as HIPAA covered entities concerning PHI. Third-party risk management practices are crucial to securing PHI and preventing avoidable data breaches.

“Our commitment is to ensure that anyone who handles protected information properly safeguards that information,” Sean P. Neafsey, acting director of the Division of Consumer Affairs explained. “We are pleased CMI and SCI have agreed to implement new practices to protect consumers’ information.”