On November 30, 2015 the U.S. Department of Health and Human Services, Office for Civil Rights (“OCR”) announced the settlement of potential violations of the Health Insurance Portability and Accountability Act (“HIPAA”) by TRIPLE-S Management Corporation (“TRIPLE-S”). TRIPLE-S agreed to pay $3.5 million to resolve the allegations and will adopt a robust corrective action plan to correct its past deficiencies. (Click here to view the Resolution Agreement and Corrective Action Plan.)
“OCR remains committed to strong enforcement of the HIPAA Rules,” said OCR Director Jocelyn Samuels. “This case sends an important message for HIPAA Covered Entities not only about compliance with the requirements of the Security Rule, including risk analysis, but compliance with the requirements of the Privacy Rule, including those addressing business associate agreements and the minimum necessary use of protected health information.”
TRIPLE-S, an insurance holding company based in Puerto Rico, provides a wide range of insurance products and services to residents through its multiple subsidiaries. Beginning in November 2010 and concluding in August 2015, TRIPLE-S reported the first of five breaches impacting 500 or more individuals and two breaches impacting less than 500 individuals. TRIPLE-S fully cooperated in the investigations conducted by HHS-OCR.
OCR’s investigations indicated widespread non-compliance that resulted in unsecured protected health information (PHI) breaches including:
- Failure to implement appropriate administrative, physical, and technical safeguards to protect PHI;
- Impermissible disclosure of PHI to an outside vendor with which it did not have an appropriate Business Associate Agreement (“BAA”);
- Use or disclosure of more PHI than necessary to conduct its business;
- Failure to conduct an accurate and through risk assessment that incorporates all IT equipment, applications, and data systems utilizing PHI; and
- Failure to implement security measures sufficient to reduce the risk to its ePHI to a reasonable and appropriate level.
Facts behind the breaches:
- Two former TRIPLE-S employees were able to access restricted areas of the company’s database containing PHI because their access rights were not terminated upon leaving employment.
- Twice an outside vendor disclosed PHI on a pamphlet that was mailed to beneficiaries. TRIPLE-S did not have a BAA with the vendor.
- A former employee copied PHI onto a CD and subsequently downloaded the protected information onto a computer at his new employer.
- Staff placed the incorrect member ID card in mailing envelopes, resulting in beneficiaries receiving the member ID card of another individual.
- Health Plan Identification numbers were placed on labels used in a mailing to beneficiaries.
- A preventative mailing was sent to beneficiaries that included PHI for another member on the back of the letter.
The settlement requires TRIPLE-S to establish a comprehensive compliance program that includes:
- A risk analysis and risk management plan;
- A process to evaluate and address any environmental or operational changes that affect the security of the ePHI it holds;
- Policies and procedures to facilitate compliance with requirements of the HIPAA Rules; and
- A training program covering the requirements of the Privacy, Security, and Breach Notification Rules, intended to be used for all employees and business associates providing services on TRIPLE-S premises.
Terms of the settlement require the company to be monitored by OCR for three-year period and following that term, TRIPLE-S will be obligated to provide OCR all documents and records related to compliance with the settlement for six years. This settlement illustrates OCR’s heightened scrutiny of Business Associate Agreements and third-party vendor relationships. A company’s PHI safeguards are only as strong as the safeguards of the vendors with whom the company does business. Covered entities must exercise due diligence in the selection of third-party vendors, review the vendor’s cyber security and data breach plans, ensure that BAAs are in place and are being followed, review contractual obligations, and require audits of PHI safeguards. It sounds as if there will be many more enforcements of this nature to follow.