Triple-S Management Corporation (“TRIPLE-S”) has agreed to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules with the U.S. Department of Health and Human Services, Office for Civil Rights (OCR). TRIPLE-S will pay $3.5 million and will adopt a robust corrective action plan to correct deficiencies in its HIPAA compliance program, an effort it has already begun.
TRIPLE-S is an insurance holding company based in San Juan, Puerto Rico that offers a wide range of insurance products and services to residents of Puerto Rico through its subsidiaries.
After receiving multiple breach notifications from TRIPLE-S involving unsecured protected health information (PHI), OCR initiated investigations to ascertain the entities’ compliance with HIPAA Rules. OCR’s investigations indicated widespread noncompliance throughout the various subsidiaries of Triple-S.