Triple-S, an insurance holding company and subsidiary of Triple-S Management Corporation, was notified by the Puerto Rican Health Insurance Administration (“HIA”) that HIA would pursue penalties against Triple-S for its alleged failure to properly respond to a breach of protected health information (“PHI”) involving 13,336 Dual Eligible Medicare enrollees (enrollees also eligible for Medicaid). Though Triple-S stated that it had complied with its breach response requirements, including complying with requests from HIA, HIA is still seeking over $6.8 million dollars in penalties against Triple-S for its breach response. Aside from monetary penalties, the sanctions include the suspension of new Dual Eligible Medicare enrollments and impose a duty on Triple-S to notify affected individuals of their right to disenroll.
The breach arose from a September 20, 2013 incident in which a Triple-S mailing to 70,000 Medicare Advantage beneficiaries mistakenly included beneficiaries’ unique claim numbers, considered to be PHI under the Health Insurance Portability and Accountability Act (“HIPAA”). Triple-S investigated the breach and provided notices to individuals, the government, and the media as required by the Health Information Technology for Economic and Clinical Health Act (“HITECH”). Triple-S also provided individuals with a contact number to voice concerns and offered free credit reporting services to affected individuals. So what went wrong? Though HIA has yet to comment on the deficiencies for which it is seeking penalties, Triple-S’s predicament provides an opportunity to discuss appropriate breach responses under HIPAA and HITECH.
Investigation—The first step in responding to a breach of PHI is investigating the breach and identifying who was affected, what information was accessed, and how such access was achieved.
Notification—For breaches involving information of more than 500 people, which was the case for Triple-S, a health care entity must notify affected individuals, notify the Secretary of the Department of Health and Human Services, and notify prominent media outlets serving the state or jurisdiction, all without unreasonable delay and in no case later than 60 days after the discovery of breach. (Note: There are separate requirements where a breach involved information of fewer than 500 people).
Remedial Measures—In addition to investigative and notification duties, health care entities should also take steps to remedy the causes of the breach and to lessen any harm caused by the breach. These steps can include:
Security and Privacy Safeguards: After a breach, health care entities should consider adjusting security and privacy safeguards. For example, if the breach was the result of unsecured web browsing by employees, health care entities might consider using software that allows for secure web browsing.
Mitigation: Mitigation efforts can include providing free credit reporting or other identity theft tracking services, as Triple-S did in this instance.
Sanctions: The health care entity should sanction the individuals responsible for the breach. In Triple-S’s case, this might mean the employees responsible for sending out the pamphlets.
Policies and Procedures: Health care entities should think about revising their policies and retraining employees after a breach. For example, if the breach was a result of an employee taking unencrypted PHI home on a mobile device, a health care entity should consider revising its mobile device policy.
The above list is meant only for illustration purposes and is not exhaustive. When faced with the possibility of a potential breach of protected health information, you should consult with an experienced health care attorney for advice related to individual circumstances.
The Health Law Gurus™ will continue to follow news about HIPAA breaches and sanctions.
We encourage you to share your thoughts and opinions about HIPAA breaches and sanctions with us and our readers in the comments section below.
To view the Triple-S Securities and Exchange Commission filing regarding HIA’s imposition of penalties, click here.