opening letter

HIPAA Lessons from New Jersey

Two glaring lessons leap out from the latest news on HIPAA enforcement by the New Jersey Attorney General who issued a Consent Order last week against two printing companies.

  1. States can enforce HIPAA, as noted last month in a story about a New Jersey fertility clinic.
  2. Business associates can be investigated and may pay the consequences for not following HIPAA.

In another industry, the mistake the printing companies made might have lost them the customer. In this case, since they were handling patients’ protected health information (PHI), it cost a good deal more.

Preventable Error Leads to HIPAA Fines

The Consent Order issued on November 10 includes $130,000 in fines against Command Marketing Innovations, LLC (CMI) and Strategic Content Imaging, LLC (SCI). They both provided services to a New Jersey-based managed healthcare organization that involved printing and mailing benefits statements. A vendor that provides services to a covered entity and has access to protected health information is a HIPAA business associate, must follow HIPAA law, and must enter a business associate agreement with the covered entity.

The Consent Order alleges the printing companies violated HIPAA and the New Jersey Consumer Fraud Act when the PHI of 55,715 New Jersey residents was breached as a result of the printing companies’ mistakes. The New Jersey Division of Consumer Affairs’ investigation found that SCI changed its printing processes which resulted in an error causing the final page of one member’s statement to be added to the first page of another member’s statement. Under HIPAA, procedures should have been in place to check the benefits statements before mailing. The error could have been prevented with a simple review.

According to the Consent Order, the companies violated HIPAA by failing to ensure the confidentiality of PHI, failing to protect against a reasonably anticipated unauthorized disclosure of PHI, and failing to review and modify security measures to ensure reasonable and appropriate protections were in place to ensure the confidentiality of PHI. Although both companies disputed the findings, they agreed to the settlement and agreed to implement new safeguards.

Covered Entities Need to Manage Business Associates

Although not mentioned in the Consent Order, the covered entity also has responsibility for managing its business associates. Did the managed healthcare organization that contracted with the printing companies conduct due diligence to find out about their HIPAA compliance? Did they ask whether they had designated Privacy and Security officials, and whether they’d conducted a HIPAA Risk Analysis?

We are not saying in this case that the covered entity failed because the facts aren’t known. But this is a good illustration of why HIPAA requires covered entities to ask questions of their business associates, to raise their awareness, and ensure their compliance with HIPAA.

Share This Post

Maggie Hales

Maggie Hales is a lawyer focusing on health information privacy and security. As CEO of ET&C Group LLC she advises health care providers and business associates in 36 states, Canada, Egypt, India and the EU, using The HIPAA E-Tool® to deliver up to date policies, forms and training on everything related to HIPAA compliance.

Copyright © 2023 ET&C Group LLC.

The HIPAA E-Tool® and Protecting Patient Privacy is Our Job® are registered trademarks of ET&C Group LLC

Terms & Conditions | Privacy Policy | Cookies Policy | Privacy Settings

Mailing Address
The HIPAA E-Tool
PO Box 179104
St. Louis, MO 63117-9104

8820 Ladue Road Suite 200
St. Louis, MO 63124