Federal fines for violations of the Health Insurance Portability and Accountability Act (HIPAA) may not exceed $1.5 million per incident per year. That's already a big number to think about — but employers also need to remember that state and regional governments may impose separate fines in addition to the federal ones, thus increasing the potential cost of privacy and security breaches. This fact became clear when the Puerto Rican Health Insurance Administration (HIA) fined Triple-S Management Corp. (Triple-S) an unprecedented $6.8 million for its alleged failure to properly respond to a breach of protected health information (PHI).
In September 2013, Triple-S's subsidiary, Triple-S Salud Inc. (TSS), accidentally mailed a pamphlet to its approximately 70,000 Medicare Advantage patients with Medicare Health Insurance Claim Numbers (HICNs) visible from the outside. HICNs are considered protected health information under HIPAA and, as such, the law requires that covered entities and business associates notify affected individuals of any breach in the security or privacy of PHI within 60 days of discovering the breach.
Upon discovering the breach, Triple-S stated that TSS conducted an investigation, reported the incident to the appropriate Puerto Rican and federal government agencies, and cooperated with their requests for information. TSS also issued a breach notification via the local media and notified all affected beneficiaries by mail, as required by the Health Information Technology for Economic and Clinical Health Act (HITECH).
Despite these measures, HIA still imposed a substantial $6.8 million fine on Triple-S, although it has yet to detail the deficiencies for which it is seeking penalties. Triple-S also faces sanctions, including the suspension of new Dual Eligible Medicare enrollments and a requirement to notify affected individuals of their right to disenroll.
The fine against Triple-S is unique not only for the fact that it far exceeds the maximum $1.5 million federal penalty, but also because HICNs are not the typical kind of sensitive information to prompt such aggressive enforcement. Furthermore, while HHS data indicates this is the second big HIPAA breach for Triple-S, there have been much bigger breaches affecting a larger number of individuals.
The case against Triple-S not only serves as a reminder that — in addition to federal regulations — HIPAA and HITECH polices must comply with state and local laws, but it may also encourage federal and/or state regulators to grow more aggressive with HIPAA enforcement and seek higher penalties. Accordingly, HIPAA-covered entities and business associates should make certain they have the appropriate measures in place to prevent and remedy breaches in compliance with all applicable HIPAA and HITECH rules. These include specific policies and procedures to protect PHI, to investigate and remedy breaches, and to notify affected individuals.
Training employees on how to comply with these requirements is crucial for employers to avoid the heavy fines and sanctions faced by Triple-S. WeComply's online course on HIPAA Privacy and Security facilitates compliance by explaining to employees the basic principles of HIPAA and HITECH privacy and security laws in simple, understandable terms.