Violating the basic privacy laws to which healthcare patients are entitled can be costly, such as the case involving the San Juan, Puerto Rico-based health insurance company Triple-S Management Corporation.
Triple-S Management has agreed to pay a whopping $3.5 million settlement as part of a Resolution Agreement with the United Stated Department of Health and Human Services (HHS) Office of Civil Rights (OCR). The HHS claims that Triple-S Management and its respective subsidiaries were involved in numerous Health Insurance Portability and Accountability Act (HIPAA) violations over the past four years.
After receiving several breach notifications from Triple-S, the OCR launched an investigation into the practice. It found that Triple-S Management failed to properly implement the necessary administrative, physical and technical safeguards to prevent disclosure of Protected Health Information (PHI); it failed to conduct regular risk analysis of its computer systems and networks; it failed to implement security measures to lower the risk of data breach; and the OCR claims that Triple-S Management even disclosed PHI to third-party organizations without the use of a Business Associated Agreement (BAA).
Not only is Triple-S Management required to pay a near record-setting settlement of $3.5 million, but it must also make changes to correct the noncompliances identified in the Resolution Agreement. These changes include the implementation of regular risk assessments and analysis; the development of a system for evaluating operational changes in its computer network; reviewing and modifying its HIPAA training materials; and reviewing and modifying its policies and procedures for HIPAA compliance.
“This case sends an important message for HIPAA Covered Entities not only about compliance with the requirements of the Security Rule, including risk analysis, but compliance with the requirements of the Privacy Rule, including those addressing business associate agreements and the minimum necessary use of protected health information,” said OCR Director Jocelyn Samuels in a statement.
Triple-S Management is one just example of why it's important for covered entities to abide by HIPAA. As the OCR prepares for its second round of audits, other healthcare providers, insurance companies and covered entities should use this time to ensure they are compliant. By correcting potential violations now, you can avoid being slapped with a hefty fine or other penalties.
To learn more about the settlement between Triple-S Management and the OCR, check out the Resolution Agreement here. The HHS has also posted a press release regarding the settlement on its website here.