United States: New HIPAA Settlement: The Other Shoe Drops On PR Insurer

Nearly two years after being hit with an unprecedented $6.8 million fine (later reduced to $1.5 million), a Puerto Rico insurer has agreed to a new $3.5 million settlement with the Office for Civil Rights (OCR) of the U.S. Department of Health and Human Services (HHS) for alleged HIPAA violations. Triple-S Management Corporation, the parent of Triple-S Salud Inc., Triple-C Inc. and Triple-S Advantage Inc., formerly known as American Health Medicare, will also adopt a corrective action plan to address deficiencies in its HIPAA compliance program. 

As previously discussed here, Triple-S Salud, Puerto Rico's largest health insurance company, was fined by Puerto Rico's Health Insurance Administration in February 2014 for accidentally mailing out pamphlets with visible claim numbers to 70,000 Medicare Advantage subscribers, and for failing to take appropriate actions after the data breach.  At the time, OCR said that it was continuing to investigate the company. On November 20, 2015, simultaneous with the OCR settlement, Triple-S reached a settlement with the Puerto Rico regulator in which the massive fine was reduced.

HHS's press release on its settlement listed numerous alleged HIPAA violations by the various Triple-S entities, including failure to implement appropriate safeguards to protect beneficiaries' protected health information (PHI), failure to conduct a thorough risk analysis of its data systems, inappropriate disclosures of PHI to an outside vendor with which Triple-S did not have a business associate agreement, and a violation of HIPAA's requirement that only the "minimum necessary" PHI be disclosed.

The compliance program required by Triple-S's Resolution Agreement with HHS will include a risk analysis, adoption of new HIPAA policies and procedures, and a training program for Triple-S's workforce and business associates.

HHS offers guidance on how organizations can conduct a HIPAA risk analysis. Day Pitney is launching its own proprietary HIPAA Self-Assessment Tool, details of which are available upon request.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.