Another Day, Another OCR Resolution Agreement – Numerous Repeated Breaches Lead to $3.5 Million Settlement


On the heels of the Lahey Hospital and Medical Center resolution agreement, OCR announced a resolution agreement with Triple-S Management Corporation and its subsidiaries, Triple-S Salud Inc. and Triple-C Inc. (collectively “Triple-S”). As part of the announcement, Office for Civil Rights (OCR) Director Jocelyn Samuels flagged two specific areas for covered entities to focus their Health Insurance Portability and Accountability Act (HIPAA) compliance efforts: business associate agreements and minimum necessary use of protected health information (PHI).

The subsidiaries are covered entities or business associates as defined by HIPAA. OCR initiated its investigation of these entities following several separate reported breaches. In its resolution agreement, OCR identified the entities’ violations of HIPAA with the following conduct:

  1. Impermissibly disclosing the PHI of beneficiaries as a result of breach incidents;
  2. Failing to implement appropriate administrative, physical, and technical safeguards to protect the privacy of its beneficiaries’ PHI;
  3. Impermissibly disclosing its beneficiaries’ PHI to an outside vendor with which it did not have an appropriate business associate agreement;
  4. Disclosing more PHI than was necessary to accomplish the purpose for which it hired the outside vendor;
  5. Failing to conduct an accurate and thorough risk analysis that incorporates all IT equipment, applications, and data systems utilizing ePHI;
  6. Failing to implement security measures sufficient to reduce the risks and vulnerabilities to its ePHI to a reasonable and appropriate level; and
  7. Failing to implement procedures for terminating access to ePHI when the employment of a workforce member ends.

OCR reached a $3.5 million settlement amount with Triple-S and issued an extensive three-year corrective action plan (CAP). The CAP requires Triple-S to conduct a security risk analysis and implement a risk management plan, implement a process for evaluating environmental and operational changes, review and revise policies and procedures, and provide training to its workforce and business associates. The CAP also requires annual reports attesting to compliance with the CAP.

This resolution agreement and CAP continue to demonstrate OCR’s focus on security risk analyses and risk management plans. OCR has previously set forth guidance for covered entities and business associates on conducting risk analyses. As covered entities and business associates prepare their 2016 budgets and work plans, we recommend review and revision of these important items for HIPAA compliance.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© BakerHostetler | Attorney Advertising

Written by:


BakerHostetler on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.