Share this article on:
Puerto Rico Blue Cross Blue Shield licensee Triple S Management Corporation has agreed to pay a HIPAA violation fine of $3.5 million to the Department of Health and Human Services’ Office for Civil Rights.
This is the second HIPAA violation fine to be announced in the space of a week, with the latest financial penalty closely following the $850,000 settlement between OCR and Lahey Hospital and Medical Center. The latest fine highlights just how costly non-compliance can be.
This does not need to be explained to Triple S Management Corporation. The company was already hit with a HIPAA violation fine of $6.8 million by the Puerto Rico Health Insurance Administration for a failure to comply with the Health Insurance Portability and Accountability Act’s Privacy Rule last year, although the HIPAA violation fine was reduced to $1.5 million on appeal.
The PRHIA fine was issued following the mailing of a pamphlet that displayed the Medicare Health Insurance Claim Numbers of subscribers. The HIPAA violation fine corresponded to $500 for each of the 13,336 members of the insurer’s Medicare and Medicaid beneficiaries.
Serial Violations of the HIPAA Privacy and Security Rules Result in Major HIPAA Violation Fine
The fine was issued to Triple S Management Corporation, on behalf of its subsidiaries Triple-S Salud Inc., Triple-C Inc. and Triple-S Advantage Inc., as a penalty for multiple data breaches that had been suffered as a direct result of HIPAA-compliance failures. The Puerto Rico BCBS licensee agreed to settle over alleged HIPAA Privacy and Security Rule violations without admission of liability.
Data breaches have been suffered by Triple S Management Corporation and its subsidiaries on at least 8 separate occasions since 2010, including five breaches last year.
The first data breach to be reported to the OCR occurred in 2010, and involved the theft of PHI of 475,000 individuals. A number of employees of Triple-S left the company and started working for a rival insurance company; however, Triple-S failed to terminate their database access rights after they left. This enabled the former employees to download the Protected Health Information of Triple-S subscribers, which they did for seven days.
In 2013, 13,336 subscribers were affected by aforementioned mailing error. In 2014, four instances of theft of PHI were reported by Triple-S subsidiaries. Those data breaches affected a total of 419,706 individuals.
Two of the 2014 data breaches were suffered by Triple-C Inc., the largest of which exposed the PHI of 398,000 individuals. Triple-S Salud suffered three separate data breaches in 2014, including one that exposed the PHI of 56,853 individuals. This year, Triple S Advantage, Inc., reported a data breach that exposed 1,458 member records.
OCR conducted an investigation into the data breaches and discovered numerous potential HIPAA violations stemming from “widespread non-compliance” issues.
OCR Investigators Discover Multiple ‘Potential’ HIPAA Violations
As was the case with Lahey Hospital and Medical Center, an accurate and thorough risk assessment had not been conducted. In the case of Triple-S, the risk assessment did not cover all systems, applications, and equipment that used or came into contact with ePHI.
OCR investigators also discovered multiple Security Rule violations including a lack of security measures to protect ePHI, and failures to implement administrative, physical, and technological controls to protect the privacy of its subscribers.
Following the $1.5 million Puerto Rico Health Insurance Administration fine, it was not clear whether OCR would also issue a financial penalty. It has taken some time, but the settlement does appear to include HIPAA failures which contributed to the cause of that breach. OCR cited the disclosure of more PHI than was necessary in order to carry out subscriber mailings. Investigators also discovered that on at least one occasion, PHI had been disclosed to a business associate without Triple-S having first obtained a signed business associate agreement.
The HIPAA violation fine of $3.5 million is only part of the settlement agreement. Triple S Management Corporation has also been issued with a robust action plan. The action plan requires Triple-S to develop a comprehensive HIPAA-compliance program. The insurer must also conduct a thorough risk assessment, develop a risk management plan, and train all staff on HIPAA Privacy, Security, and Breach Notification Rules. Training must also be provided to staff employed by its business associates.
The latest HIPAA violation fine is not the largest ever issued. In 2011, Cignet Health agreed to pay a HIPAA violation fine of $4.3 million to settle HIPAA Privacy Rule violations. Last year, New York-Presbyterian Hospital (NYPH) and Columbia University agreed to settle alleged HIPAA violations with OCR, and paid $4.8 million. 69% of that fine was covered by NYPH. The Triple S Management Corporation HIPAA penalty is therefore the second largest HIPAA violation fine issued to one organization.
Increase in Settlements Show OCR is Taking a Harder Line on Non-Compliance
A huge number of data breaches have been suffered by HIPAA-covered entities in the past two years, yet enforcement activities have been few and far between. OCR was recently criticized for its lack of enforcement – not for the first time – by the OIG, and an increase in financial penalties is expected.
Two settlements in the space of a week should send a clear message to covered entities that non-compliance is not an option, and that OCR is taking a harder line on violators of HIPAA Rules. With the next round of HIPAA compliance audits due to start in the first quarter of 2016, covered entities need to ensure that action is taken to address any areas of non-compliance that still exist. Due to the number of time OCR investigators have discovered risk assessment failures when investigating data breaches, that would be the best place for covered entities to start.