A Puerto Rico health insurer agreed to pay $3.5 million in a HIPAA settlement after the U.S. Department of Health and Human Services, investigating multiple breach reports from the company, found what it called “widespread noncompliance” throughout the organization.
Triple-S Management Corp. is an insurance holding company that offers many insurance products and services through its subsidiaries. Since 2010, these companies have reported five major breaches and two minor ones.
Five of the reported breaches involved mailing errors. In 2013, for example, a vendor for Triple-S Salud Inc. mailed its Medicare Advantage beneficiaries a pamphlet that displayed their protected health information on the outside. The PHI, which included Health Insurance Claim Numbers, had been shared with the vendor without a business associate agreement in place, HHS found.
Former employees of Triple-S and its business associates also were a recurring problem, according to the Nov. 30 resolution agreement between Triple-S and HHS’ Office for Civil Rights. In 2010, for example, two former employees working for a competitor managed to access TSS’ proprietary database because their access rights had not been terminated, OCR found. The electronic PHI accessed included diagnostic and treatment codes.
After investigating these breaches, OCR determined that TSS and other Triple-S subsidiaries had:
- failed to implement the appropriate safeguards on the privacy of beneficiaries’ PHI;
- disclosed PHI to a vendor without having the required business associate agreement;
- disclosed more than the minimum necessary PHI to send out the mailings;
- failed to conduct a comprehensive security risk analysis;
- failed to implement appropriate security measures to reduce risks to e-PHI; and
- failed to implement procedures for terminating access to e-PHI when someone’s employment ends.
The $3.5 million resolution amount is the highest OCR has levied on a single entity by settlement. The agreement also includes a detailed corrective action plan, although OCR acknowledged that Triple-S already has taken many of these steps with technical assistance from the agency.
“Triple-S is committed to protecting the privacy and security of its beneficiaries’ health information and implementing the corrective action plan entered into with OCR,” Triple-S President Ramon Ruiz stated. “We are pleased with the agreement and regard it as an opportunity to strengthen our privacy policies.”
Corrective Action Steps
The CAP requires Triple-S to establish a comprehensive compliance program that includes:
- a risk analysis and risk management plan;
- a process for evaluating and addressing environmental or operational changes that affect the security of e-PHI;
- policies and procedures on complying with many of the major HIPAA requirements, including minimum necessary, business associates and device and media controls; and
- training for all workforce members, and on-premises business associates, on HIPAA’s privacy, security and breach notification rules.
The policies and procedures must be submitted to HHS within 60 days after the agency approves the risk management plan, then implemented within 30 days after HHS approves them. Triple-S must distribute the policies and procedures to all workforce members and business associates, and obtain their certification of compliance as a condition of PHI access.
Like many resolution agreements, the CAP also includes Triple-S to notify HHS of “reportable events” involving an employee’s violation of policies and procedures, and to submit an “implementation report” attesting to the distribution of policies and completion of training.
HIPAA’s privacy and security rules are discussed in the Employer’s Guide to HIPAA Privacy Requirements.
Tags: HIPAA privacy, protected health information, HIPAA settlement