Puerto Rico Insurer Fined $3.5 Million in HIPAA SettlementResult of Investigation into Several Breaches at Triple-S Management
In the second largest financial penalty ever issued as part of a HIPAA resolution agreement, federal regulators have smacked Puerto Rico-based Triple-S Management, an independent licensee of the Blue Cross Blue Shield Association, with a $3.5 million fine.
See Also: Rethinking Endpoint Security
The Department of Health and Human Services' Office for Civil Rights says in a statement that it initiated an investigation of Triple-S after receiving multiple breach notifications from the company. Those breaches include several large incidents affecting more than 500 individuals, and several smaller breaches impacting fewer than 500 individuals. The largest of the breaches, listed on the HHS "wall of shame" website of major breaches as affecting 475,000, dates back to 2010.
"Through this settlement, OCR appears to be sending the message that, when it receives multiple, unrelated breach reports from a single entity - or related entities - OCR will review whether these recurring breaches are caused by systematic noncompliance and will take significant action if that proves to be the case," says privacy attorney Adam Greene of the law firm Davis Wright Tremaine.
This isn't the first time that Triple-S has been hit with a large fine related to its HIPAA compliance. In February 2014, a government agency in Puerto Rico levied a $6.8 million HIPAA sanction against Triple-S subsidiary, Triple S Salud, for a 2013 breach involving a mailing error that affected about 13,000 beneficiaries (see Huge Fine in Puerto Rico Breach). That enforcement action by the Puerto Rico Health Insurance Administration, also known by its Spanish language acronym "ASES," required Triple S to implement a plan that would ensure breaches do not re-occur at the company.
OCR says investigations into the various incidents indicated "widespread non-compliance" throughout the various subsidiaries of Triple-S, including:
- Failure to implement appropriate administrative, physical and technical safeguards to protect the privacy of its beneficiaries' PHI;
- Impermissible disclosure of its beneficiaries' PHI to an outside vendor with which it did not have an appropriate business associate agreement;
- Use or disclosure of more PHI than was necessary to carry out mailings;
- Failure to conduct an accurate and thorough risk analysis that incorporates all IT equipment, applications and data systems utilizing ePHI; and
- Failure to implement security measures sufficient to reduce the risks and vulnerabilities to its ePHI to a reasonable and appropriate level.
The settlement requires a corrective action plan that mandates Triple-S establish a comprehensive compliance program designed to protect the security, confidentiality and integrity of the personal information it collects from its beneficiaries. That includes:
- A risk analysis and a risk management plan;
- A process to evaluate and address any environmental or operational changes that affect the security of the ePHI it holds;
- Policies and procedures to facilitate compliance with requirements of the HIPAA Rules; and
- A training program covering the requirements of the HIPAA privacy, security and breach notification rules for all members of the workforce and business associates providing services on Triple-S' premises.
Triple-S declined to comment.
Other Enforcement Actions
The resolution agreement with Triple-S is the fifth OCR HIPAA settlement so far in 2015 and the 27th since 2008. Just last week, OCR announced a HIPAA resolution agreeekment with Lahey Hospital and Medical Center in Burlington, Mass., stemming from an investigation into the theft of a laptop that was used to operate a medical device. That agreement includes an $850,000 fine and a corrective action plan (see Lahey Hospital Fined $850,000 in HIPAA Case).
OCR's latest HIPAA enforcement actions could be fueled, in part, by practical motives, says privacy attorney David Holtzman, vice president of compliance at security consulting firm CynergisTek.
"In the span of 10 days, OCR has made settlements that will bring the agency $4.35 million dollars," he notes. Under the HITECH Act, OCR was provided the authority to retain any penalties collected for use in carrying out enforcement of the HIPAA standards, he notes. "OCR's actions to secure funding for its ongoing operations appears to be a brilliant strategic tactic in light of the uncertainty of Congressional action on the federal budget. And, with hundreds of active compliance reviews brought about by breaches of health information, I would not be surprised to see additional settlements announced in the coming weeks."
The largest OCR HIPAA settlement to date was a 2014 resolution agreement - which included a $4.8 million penalty and corrective action plan - with New York-Presbyterian Hospital and Columbia University tied to a 2010 breach (see $4.8 Million Settlement for Breach).
OCR's settlement with Triple-S cites the same 2013 breach that affected 13,000 individuals and was at the center of the Puerto Rican agency ASES' HIPAA case against Triple-S Salud. OCR notes that Triple-S Salud on Nov 8, 2013, reported to OCR that on Sept. 23, 2013, the company became aware that a vendor disclosed Triple-S Salud Medicare Advantage beneficiaries' PHI on the outside of a pamphlet mailed to the beneficiaries. The PHI disclosed included the beneficiary's names, mailing addresses and the Health Insurance Claim Number, OCR says.
The resolution agreement also notes that Triple-S Salud and another Triple-S subsidiary, Triple-C, reported to OCR that on Sept. 21, 2010, they discovered that two former Triple-S workforce members employed by a competitor improperly accessed restricted areas of Triple-S Salud's proprietary Internet database managed by Triple-C that included information on 475,000 individuals.
"They were able to gain access to the database because their access rights were not terminated upon leaving the employment of Triple-S. As a result, the electronic PHI accessed in the database included members' names, contract numbers, home addresses, diagnostic codes and treatment codes," the resolution agreement says.
The resolution agreement notes that Triple-S and its subsidiaries involved in the various breaches are covered entities or business associates under the HIPAA rules.
However, privacy attorney Greene says he views the resolution agreement as mainly one involving a covered entity.
"I do not really see this as the first settlement with a business associate, as they are also a covered entity and it is not clear that the conduct at issue related to their role as a business associate rather than as a covered entity," he says.
OCR's enforcement activities seem to be heating up, Greene notes. "After a record seven settlements in 2014, we had a slow start to 2015. We're now up to five settlements for 2015, which is in line with 2013 and 2012. It's difficult to say whether we will see any more settlements in 2015 - it could be coincidental that we saw two settlements so close together, or it could be a sign of OCR having a backlog of settlements in the pipeline and trying to get some of them out the door by the end of the year. "
In a statement provided to ISMG, OCR notes: "Some covered entities also function as business associates, depending on the scope of their operations. The message of this case is not necessarily about business associates, but rather impermissible disclosures to business associates. All covered entities and business associates should not only be aware of their security requirements under the Security Rule, as highlighted here, but also of their requirements regarding minimum necessary and business associate agreements under the Privacy Rule."