Triple-S Management Corp. (TSM), a Puerto Rico health insurer, agreed to pay $3.5 million in a Health Insurance Portability and Accountability Act (HIPAA) settlement after the U.S. Department of Health and Human Services (HHS) investigated multiple breach reports from the company and found multiple cases of noncompliance throughout the organization. TSM is an insurance holding company that offers different insurance products and services through its subsidiaries.
Since 2010, these companies have reported five major breaches and two minor ones. The Office for Civil Rights (OCR) received multiple breach notifications from TSM involving unsecured protected health information (PHI) and initiated investigations to ascertain the entities’ compliance with HIPAA Rules. OCR’s investigations indicated widespread non-compliance throughout the various subsidiaries of TSM, including:
- Failure to implement appropriate administrative, physical, and technical safeguards to protect the privacy of its beneficiaries’ PHI;
- Impermissible disclosure of its beneficiaries’ PHI to an outside vendor with which it did not have an appropriate business associate agreement;
- Use or disclosure of more PHI than was necessary to carry out mailings;
- Failure to conduct an accurate and thorough risk analysis that incorporates all information technology equipment, applications, and data systems utilizing electronic PHI; and
- Failure to implement security measures sufficient to reduce the risks and vulnerabilities to its electronic PHI to a reasonable and appropriate level.
The settlement requires Triple-S to establish a comprehensive compliance program designed to protect the security, confidentiality, and integrity of the personal information it collects from its beneficiaries, that includes:
- A risk analysis and a risk management plan;
- A process to evaluate and address any environmental or operational changes that affect the security of the electronic PHI it holds;
- Policies and procedures to facilitate compliance with requirements of the HIPAA Rules; and
- A training program covering the requirements of the Privacy, Security, and Breach Notification Rules, intended to be used for all members of the workforce and business associates providing services on TSM premises.
TSM, with the help of OCR through its technical assistance, had already begun to take extensive corrective action, as required by the Corrective Action Plan, and will continue to work with OCR to come into compliance with HIPAA.
The Resolution Agreement and Corrective Action Plan can be found on the OCR website at:http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/triples/index.html
HHS offers guidance on how your organization can conduct a HIPAA Risk Analysis: http://www.healthit.gov/providers-professionals/security-risk-assessment