Two glaring lessons leap out from the latest news on HIPAA enforcement by the New Jersey Attorney General who issued a Consent Order last week against two printing companies.

1. States can enforce HIPAA, as noted last month in a story about a New Jersey fertility clinic.
2. Business associates can be investigated and may pay the consequences for not following HIPAA.

In another industry, the mistake the printing companies made might have lost them the customer. In this case, since they were handling patients’ protected health information (PHI), it cost a good deal more.

Preventable Error Leads to HIPAA Fines

The Consent Order issued on November 10 includes $130,000 in fines against Command Marketing Innovations, LLC (CMI) and Strategic Content Imaging, LLC (SCI). They both provided services to a New Jersey-based managed healthcare organization that involved printing and mailing benefits statements. A vendor that provides services to a covered entity and has access to protected health information is a HIPAA business associate, must follow HIPAA law, and must enter a business associate agreement with the covered entity.

The Consent Order alleges the printing companies violated HIPAA and the New Jersey Consumer Fraud Act when the PHI of 55,715 New Jersey residents was breached as a result of the printing companies’ mistakes. The New Jersey Division of Consumer Affairs’ investigation found that SCI changed its printing processes which resulted in an error causing the final page of one member’s statement to be added to the first page of another member’s statement. Under HIPAA, procedures should have been in place to check the benefits statements before mailing. The error could have been prevented with a simple review.

According to the Consent Order, the companies violated HIPAA by failing to ensure the confidentiality of PHI, failing to protect against a reasonably anticipated unauthorized disclosure of PHI, and failing to review and modify security measures to ensure reasonable and appropriate protections were in place to ensure the confidentiality of PHI. Although both companies disputed the findings, they agreed to the settlement and agreed to implement new safeguards.

Covered Entities Need to Manage Business Associates

Although not mentioned in the Consent Order, the covered entity also has responsibility for managing its business associates. Did the managed healthcare organization that contracted with the printing companies conduct due diligence to find out about their HIPAA compliance? Did they ask whether they had designated Privacy and Security officials, and whether they’d conducted a HIPAA Risk Analysis?

We are not saying in this case that the covered entity failed because the facts aren’t known. But this is a good illustration of why HIPAA requires covered entities to ask questions of their business associates, to raise their awareness, and ensure their compliance with HIPAA.