Triple-S Management Corporation (“Triple-S”), on behalf of its wholly-owned subsidiaries, Triple-S Salud, Inc., Triple-C, Inc., and Triple-S Advantage, Inc., has agreed to pay $3.5 million as part of a Resolution Agreement with the Department of Health and Human Services Office of Civil Rights (“OCR”) (“Resolution Agreement”). The Resolution Agreement settled all potential liabilities related to potential and actual breaches of unsecured protected health information (“PHI”) dating back to 2010.
As an insurance holding company, Triple-S is a covered entity and must comply with HIPAA. Triple-S, which is based in San Juan, Puerto Rico, offers a wide range of insurance products and services in Puerto Rico through its wholly-owned subsidiaries. Because of its licensed affiliation with Blue Cross and Blue Shield Association, Triple-S is the largest medical insurance provider in Puerto Rico.
OCR investigated Triple-S and its subsidiaries after receiving several breach notifications from Triple-S involving unsecured PHI. OCR discovered widespread noncompliance during its investigation, including:
Failure to implement appropriate administrative, physical, and technical safeguards to protect the privacy of the PHI of its beneficiaries;
Failure to conduct an accurate and thorough risk analysis that incorporates all IT equipment, applications, and data systems utilizing electronic PHI (“ePHI”); and
Failure to implement security measures sufficient to reduce the risks and vulnerabilities to its ePHI to a reasonable and appropriate level.
Furthermore, Triple-S impermissibly disclosed PHI to an outside vendor without an appropriate business associate agreement and used or disclosed more PHI than necessary to carry out mailings in violation of minimum necessary use requirements for PHI.
In response to these violations, OCR Director Jocelyn Samuels stated, “[t]his case sends an important message for HIPAA Covered Entities not only about compliance with the requirements of the Security Rule, including risk analysis, but compliance with the requirements of the Privacy Rule, including those addressing business associate agreements and the minimum necessary use of protected health information.”
In addition to the monetary settlement, Triple-S is required to initiate a three-year corrective action plan to correct deficiencies in its HIPAA compliance protocol. This corrective action plan requires, among other things, that Triple S:
Conduct a comprehensive risk assessment and implement a risk management plan;
Develop and implement a process for evaluating environmental and operational changes regarding its ePHI system;
Review its policies and procedures for compliance with federal requirements and implement revised policies and procedures; and
Review its training materials and train its employees using revised training materials.
The Triple-S settlement is a costly reminder of the risks associated with HIPAA non-compliance and emphasizes the importance of proper business associate agreements and the minimum necessary use requirements for PHI.
With the upcoming OCR audits, you should ask yourself the following questions:
(1) Does your organization have adequate business associate agreements with all of its vendors, and are your business associates committed to HIPAA compliance?
(2) Does your organization have effective policies and procedures to address HIPAA’s minimum use and disclosure requirements?
The Health Law Gurus™ will continue to follow OCR settlements as they are announced. Check back with us for updates.
To read a copy of the press release, click here.
To read a copy of the Resolution Agreement, click here.