Healthcare compliances training and discussion blog

Archive for January, 2016

OSHA fines 2 companies in worker’s death at Longmont’s Village at the Peaks

The Occupational Safety and Health Administration has cited and fined two Colorado companies for a dozen serious violations in the wake of a construction worker’s death at Village at the Peaks in August.

Tereso Zamarippa-Hernandez, 39, died after falling 15 feet through a hole in a roof and landing on concrete. Zamarippa-Hernandez was pronounced dead at the scene on Aug 31.

Erie-based Ramos Roofing, Zamarippa-Hernandez’ employer, was fined $11,460 for not having a safety program in place to check for the presence of holes and protecting employees from falling or tripping, according to OSHA.

Ramos was also cited for not properly training employees on safe ladder and stairway usage.

Colorado Springs-based Colorado Structures Incorporated was fined $12,775 for not initiating and maintaining a safety program to provide frequent and regular inspections of jobsites, materials and equipment, exposing workers to fall hazards. Ramos Roofing was also cited, OSHA an representative said.

OSHA cited both companies for not properly illuminating job sites and not properly securing and marking covers and making sure they were substantial enough to support employees.

Longmont police said at the time of the incident that Zamarippa-Hernandez fell through the hole in the roof before the sun had risen, and investigators didn’t find any flashlights on site.

OSHA determined the 12 violations between the two companies to be “serious,” documents show.

Ramos Roofing owner Alfredo Ramos said that he is working to reinforce safety policies but added that his company already had safety procedures in place at the time of the accident.

“We have a safety policy that encompasses everything currently,” Ramos said. “But we are going to reinforce and strengthen them. We are working with a safety consulting firm that is going to be a second set of eyes.”

Ramos declined to comment further but added that $30,000 was raised to help family members of Zamarippa-Hernandez in the immediate aftermath of the accident.

Attempts to reach CSI president Gabe Godwin via phone and email on Wednesday weren’t successful. A receptionist at the company said he was out of the office on Wednesday.

Newmark Merrill Mountain States, the property developer, had not responded to a request for comment as of Wednesday afternoon.

Herb Gibson, area director for the OSHA Denver Area Office, said both companies are working with OSHA to resolve the issues, and the companies have abated the hazards OSHA identified during its investigation.

He urged employers to visit to get information on fall protection. He said fall protection is the number one priority in Colorado, and a local program has been in place for about 10 years.

“There’s an amazing amount of information on the website,” he said. “We would like employers to have a comprehensive (fall protection) program in place to ensure employees are protected.”

John Bear: 303-684-5212, or


TRIPLE-S Management Corporation Agrees to $3.5 Million HIPAA Settlement

On November 30, 2015 the U.S. Department of Health and Human Services, Office for Civil Rights (“OCR”) announced the settlement of potential violations of the Health Insurance Portability and Accountability Act (“HIPAA”) by TRIPLE-S Management Corporation (“TRIPLE-S”).  TRIPLE-S agreed to pay $3.5 million to resolve the allegations and will adopt a robust corrective action plan to correct its past deficiencies. (Click here to view the Resolution Agreement and Corrective Action Plan.)

“OCR remains committed to strong enforcement of the HIPAA Rules,” said OCR Director Jocelyn Samuels. “This case sends an important message for HIPAA Covered Entities not only about compliance with the requirements of the Security Rule, including risk analysis, but compliance with the requirements of the Privacy Rule, including those addressing business associate agreements and the minimum necessary use of protected health information.”

TRIPLE-S, an insurance holding company based in Puerto Rico, provides a wide range of insurance products and services to residents through its multiple subsidiaries.  Beginning in November 2010 and concluding in August 2015, TRIPLE-S reported the first of five breaches impacting 500 or more individuals and two breaches impacting less than 500 individuals.  TRIPLE-S fully cooperated in the investigations conducted by HHS-OCR.

OCR’s investigations indicated widespread non-compliance that resulted in unsecured protected health information (PHI) breaches including:

  • Failure to implement appropriate administrative, physical, and technical safeguards to protect PHI;
  • Impermissible disclosure of PHI to an outside vendor with which it did not have an appropriate Business Associate Agreement (“BAA”);
  • Use or disclosure of more PHI than necessary to conduct its business;
  • Failure to conduct an accurate and through risk assessment that incorporates all IT equipment, applications, and data systems utilizing PHI; and
  • Failure to implement security measures sufficient to reduce the risk to its ePHI to a reasonable and appropriate level.

Facts behind the breaches:

  • Two former TRIPLE-S employees were able to access restricted areas of the company’s database containing PHI because their access rights were not terminated upon leaving employment.
  • Twice an outside vendor disclosed PHI on a pamphlet that was mailed to beneficiaries.  TRIPLE-S did not have a BAA with the vendor.
  • A former employee copied PHI onto a CD and subsequently downloaded the protected information onto a computer at his new employer.
  • Staff placed the incorrect member ID card in mailing envelopes, resulting in beneficiaries receiving the member ID card of another individual.
  • Health Plan Identification numbers were placed on labels used in a mailing to beneficiaries.
  • A preventative mailing was sent to beneficiaries that included PHI for another member on the back of the letter.

The settlement requires TRIPLE-S to establish a comprehensive compliance program that includes:

  • A risk analysis and risk management plan;
  • A process to evaluate and address any environmental or operational changes that affect the security of the ePHI it holds;
  • Policies and procedures to facilitate compliance with requirements of the HIPAA Rules; and
  • A training program covering the requirements of the Privacy, Security, and Breach Notification Rules, intended to be used for all employees and business associates providing services on TRIPLE-S premises.

Terms of the settlement require the company to be monitored by OCR for three-year period and following that term, TRIPLE-S will be obligated to provide OCR all documents and records related to compliance with the settlement for six years. This settlement illustrates OCR’s heightened scrutiny of Business Associate Agreements and third-party vendor relationships.  A company’s PHI safeguards are only as strong as the safeguards of the vendors with whom the company does business.  Covered entities must exercise due diligence in the selection of third-party vendors, review the vendor’s cyber security and data breach plans, ensure that BAAs are in place and are being followed, review contractual obligations, and require audits of PHI safeguards.  It sounds as if there will be many more enforcements of this nature to follow.


Lahey Hospital Agrees to Settle Alleged HIPAA Breach

Recently, Lahey Hospital and Medical Center (Lahey), a nonprofit teaching hospital located in Massachusetts, agreed to settle alleged violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) by paying $850,000 and adopting a robust corrective action plan.

The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) first received a HIPAA breach notification from Lahey in October 2011 upon Lahey’s discovery of a stolen laptop.  The laptop in question operated a portable CT scanner and produced images for viewing through Lahey’s radiology information system.  Its hard drive contained unencrypted electronic Protected Health Information (ePHI) of 599 individuals.  OCR investigated the breach and found that Lahey failed to: conduct a thorough risk analysis; safeguard the workstation associated with the CT scanner; and maintain certain required policies and procedures, among other deficiencies.

In addition to agreeing to pay $850,000, Lahey entered into a corrective action plan that will remain in place for 2 years.  The corrective action plan requires Lahey to take certain steps to improve HIPAA compliance.  Specifically, Lahey must conduct a risk analysis, develop and revise certain policies and procedures, train its workforce, alert OCR of instances of suspected noncompliance, and issue annual reports to OCR regarding HIPAA compliance.  Regarding Lahey’s settlement, OCR Director Jocelyn Samuels commented that “it is essential that covered entities apply appropriate protections to workstations associated with medical devices such as diagnostic or laboratory equipment.  Because these workstations often contain ePHI and are highly portable, such ePHI must be considered during an entity’s risk analysis, and entities must ensure that necessary safeguards that conform to HIPAA’s standards are in place.”


Tag Cloud