On November 30, 2015, the United States Department of Health and Human Services Office for Civil Rights (“OCR”) announced that Triple-S Management Corporation had agreed to pay $3.5 million to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) privacy and security rules. This represents OCR’s largest individual HIPAA settlement amount to date. Triple-S Management Corporation (“TRIPLE-S”) is an insurance holding company based in San Juan, Puerto Rico. Through its subsidiaries, TRIPLE-S offers an array of insurance products and services to residents of Puerto Rico. From November 2010 to August 2015, TRIPLE-S reported to OCR that there had been multiple instances in which the protected health information (“PHI”) of TRIPLE-S’ customers had been improperly accessed, disclosed, or copied. OCR investigated TRIPLE-S and discovered “widespread non-compliance,” which included the following:
-
failure to implement appropriate administrative, physical, and technical safeguards to protect the privacy of its beneficiaries’ PHI;
-
impermissible disclosure of its beneficiaries’ PHI to an outside vendor with which it did not have an appropriate business associate agreement;
-
use or disclosure of more PHI than was necessary to carry out mailings;
-
failure to conduct an accurate and thorough risk analysis that incorporates all IT equipment, applications, and data systems utilizing ePHI; and
-
failure to implement security measures sufficient to reduce the risks and vulnerabilities to its ePHI to a reasonable and appropriate level.
In addition to agreeing to pay $3.5 million, TRIPLE-S agreed to be bound by a corrective action plan. The plan requires TRIPLE-S to establish a comprehensive compliance program that includes the following:
-
a risk analysis and a risk management plan;
-
a process to evaluate and address any environmental or operational changes that affect the security of the ePHI it holds;
-
policies and procedures to facilitate compliance with requirements of the HIPAA Rules; and
-
a training program covering the requirements of the Privacy, Security, and Breach Notification Rules, intended to be used for all members of the workforce and business associates providing services on TRIPLE-S premises.
Moreover, according to the settlement, if TRIPLE-S breaches the obligations that the corrective action plan creates, and fails to cure such breaches, OCR will be free to pursue the actions that it forewent as part of the settlement.
A copy of the Department of Health and Human Services’ press release on the TRIPLE-S settlement is available here. Additionally, a copy of the TRIPLE-S settlement is available here.
Reporter, Barrett R. H. Young, Washington, D.C., +1 202 626 2928, bryoung@kslaw.com.
