Triple-S Management Corp. will pay $3.5 million to settle potential HIPAA violations with the U.S. Department of Health and Human Services' Office of Civil Rights after repeatedly failing to put safeguards in place for its beneficiaries' protected health information.
In addition, the San Juan, Puerto rico-based insurance holding company will implement a robust corrective action plan to fix its HIPAA compliance deficiencies.
"OCR remains committed to strong enforcement of the HIPAA Rules," OCR Director Jocelyn Samuels, said in a statement. "This case sends an important message for HIPAA Covered Entities, not only about compliance with the requirements of the Security Rule, including risk analysis, but compliance with the requirements of the Privacy Rule, including those addressing business associate agreements and the minimum necessary use of protected health information," she said.
[Also: Lahey Hospital pays $850,000 over security breach, potential HIPAA violations]
HHS received "multiple breach notifications" from Triple-S about unsecured protected health information, according to OCR, which soon launched its investigation to verify HIPAA compliance.
The subsequent investigation revealed widespread non-compliance throughout Triple-S and its subsidiaries.
This included failure to implement appropriate administrative, physical and technical safeguards to protect beneficiaries' PHI privacy; impermissible disclosure of beneficiaries' PHI to outside vendors without appropriate business associate agreements; use or disclosure of more PHI than necessary for mailings; failure to conduct accurate and thorough risk analysis; failure to implement security measures sufficient to reduce risks and vulnerabilities.
Triple-S fully cooperated with the HHS investigation and agreed to instate a comprehensive HIPAA compliance program, a condition of the settlement. Its wholly-owned subsidiaries Triple-S Salud Inc., Triple-C Inc. and Triple-S Advantage Inc., formerly known as American Health Medicare Inc. are also covered in the settlement.
OCR has offered technical assistance to help with the corrective plan and will continue to work with the OCR to gain HIPAA compliance.
To obtain good-standing, Triple-S must create a risk analysis and risk management plan; a process to evaluate and address environmental or operational changes affecting PHI security; policies and procedures to facilitate HIPAA compliance and a training program for all TRIPLE-S workforce and business associates.
Twitter: @HC_Finance