Triple S Salud Hit with Record $6.8 Million Fine for HIPAA Breach
Violations of the Health Insurance Portability and Accountability Act (HIPAA) can carry heavy financial penalties and the U.S. Department of Health and Human Services’ Office for Civil Rights has already issued fines of up to $1.9 million dollars for security breaches and HIPAA non-compliance issues. However, Puerto Rican Insurer Triple S Salud revealed yesterday that it has been hit with a record breaking $6.8 million fine for breaching HIPAA regulations and exposing the data of thousands of beneficiaries of its Dual Eligible Medicare plan.
The Puerto Rico Health Insurance Administration submitted an 8-K filing after the discovery of the security breach, with Triple S Salud being notified of its intentions to apply a financial penalty for the HIPAA violation earlier this month. New sanctions will also be imposed which require the insurer to notify all individuals potentially affected by the breach and also advise them of their right to leave the program. It must also suspend new enrollments to the Dual Eligible Medicare plan.
HIPAA violations investigated by the OCR have resulted in financial penalties being issued to 14 institutions since 2009, although the OCR has only issued one civil financial penalty for a HIPPA Privacy Rule violation to date; a $4.3 million settlement with Cignet Health Care in 2011. Other fines issued ranged between £35K and $1.7 million. The financial penalties issued by the Puerto Rican government are substantially higher than those issued by the OCR.
Triple S Salud violated the HIPAA Privacy Rule on Sept 20, 2013 when a mailing was sent to around 70,000 Medicare Advantage beneficiaries. Each beneficiary is allocated a unique Medicare Health Insurance Claim Number and the number was included on the mailed pamphlet. However, the HICN number is classed as PHI and by including it on the pamphlet, Triple S was in breach of HIPAA rules.
When Triple S Salud learned of the violation it commenced an investigation, reported the incident to the appropriate authorities and issued a breach notification by mail as well as through local media channels. Credit monitoring services were offered to each affected party to mitigate any damage or loss that resulted from the breach. In spite of its prompt actions, the Puerto Rico Health Insurance Administration decided to issue a contractual fine for failing to follow HIPAA regulations after the breach.
While HIPAA has an upper limit of $1.5 million, under the terms of the contract between Triple S and the Puerto Rico Health Insurance Administration, a heavy fine can be issued which can range from $500 to $100,000 for each member affected. In the case of Triple S the fines were issued for disclosing the PHI of 13,336 beneficiaries, most of whom were individuals with low incomes and the elderly who qualified for assistance under Medicare and Medicaid.
It is understood that a fine of $500 will be issued for each of the 13,336 individuals affected, and in addition to this monetary penalty Triple S will be required to pay an additional $100,000 fine due to a lack of cooperation in the investigation. It is unclear at this stage whether the OCR will also be taking action against Triple S. The OCR’s investigation into the breach still ongoing.