ARTICLE
2 December 2015

New HIPAA Settlement: The Other Shoe Drops On PR Insurer

DP
Day Pitney LLP

Contributor

Day Pitney LLP logo
Day Pitney LLP is a full-service law firm with more than 300 attorneys in Boston, Connecticut, Florida, New Jersey, New York and Washington, DC. The firm offers clients strong corporate and litigation practices, with experience on behalf of large national and international corporations as well as emerging and middle-market companies. With one of the largest individual clients practices on the East Coast, the firm also has extensive experience assisting individuals and their families, fiduciaries and tax-exempt entities plan for the future.
Explore Firm Details
Nearly two years after being hit with an unprecedented $6.8 million fine (later reduced to $1.5 million), a Puerto Rico insurer has agreed to a new $3.5 million settlement with the Office for Civil Rights ..
United States Food, Drugs, Healthcare, Life Sciences
Day Pitney LLP
Your Author LinkedIn Connections

Nearly two years after being hit with an unprecedented $6.8 million fine (later reduced to $1.5 million), a Puerto Rico insurer has agreed to a new $3.5 million settlement with the Office for Civil Rights (OCR) of the U.S. Department of Health and Human Services (HHS) for alleged HIPAA violations. Triple-S Management Corporation, the parent of Triple-S Salud Inc., Triple-C Inc. and Triple-S Advantage Inc., formerly known as American Health Medicare, will also adopt a corrective action plan to address deficiencies in its HIPAA compliance program. 

As previously discussed here, Triple-S Salud, Puerto Rico's largest health insurance company, was fined by Puerto Rico's Health Insurance Administration in February 2014 for accidentally mailing out pamphlets with visible claim numbers to 70,000 Medicare Advantage subscribers, and for failing to take appropriate actions after the data breach.  At the time, OCR said that it was continuing to investigate the company. On November 20, 2015, simultaneous with the OCR settlement, Triple-S reached a settlement with the Puerto Rico regulator in which the massive fine was reduced.

HHS's press release on its settlement listed numerous alleged HIPAA violations by the various Triple-S entities, including failure to implement appropriate safeguards to protect beneficiaries' protected health information (PHI), failure to conduct a thorough risk analysis of its data systems, inappropriate disclosures of PHI to an outside vendor with which Triple-S did not have a business associate agreement, and a violation of HIPAA's requirement that only the "minimum necessary" PHI be disclosed.

The compliance program required by Triple-S's Resolution Agreement with HHS will include a risk analysis, adoption of new HIPAA policies and procedures, and a training program for Triple-S's workforce and business associates.

HHS offers guidance on how organizations can conduct a HIPAA risk analysis. Day Pitney is launching its own proprietary HIPAA Self-Assessment Tool, details of which are available upon request.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Person photo placeholder
Day Pitney LLP
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More