Insurance holding company to pay $3.5M to settle HIPAA claims

An insurance holding company that notified the HHS Office for Civil Rights (OCR) about multiple improper disclosures of beneficiaries’ protected health information (PHI) will pay $3.5 million to settle its potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules. As part of the agreement, the company will also adopt a three-year corrective action plan (CAP) to address any deficiencies in its HIPAA compliance program.

Background. Triple-S Management Corporation (Triple-S) is an insurance holding company based in San Juan, Puerto Rico that offers various insurance products and services to residents of Puerto Rico. Triple-S notified the OCR of various breaches relating to unsecured PHI, such as one that involved a former employee who copied beneficiary electronic PHI (ePHI) onto a CD and downloaded it to the computer of his new employer. Other breaches involved the PHI of over 500 beneficiaries being improperly disclosed on mailings.

Non-compliance. During a subsequent investigation, the OCR found widespread non-compliance throughout Triple-S’ various subsidies, and found that they failed to implement appropriate safeguards to protect beneficiaries’ PHI and impermissibly disclosed beneficiaries’ PHI to an outside vendor. The OCR also found that the subsidiaries used or disclosed more PHI than necessary for mailings and failed to conduct an accurate and thorough risk analysis that included all IT equipment and data systems that used the beneficiaries’ PHI. They also failed to implement security measures to reduce risk to the ePHI.

Settlement. Triple-S, on behalf of its wholly owned subsidiaries, Triple-S Salud, Inc., Triple-C Inc., and Triple-S Advantage Inc., which was formerly known as American Health Medicare, Inc., agreed to settle the claims relating to potential violations of HIPAA. As part of the settlement with HHS, Triple-S will adopt a CAP to protect its beneficiaries’ PHI. Pursuant to the terms of the CAP, Triple-S must perform a risk analysis and develop a risk management plan and a process for evaluating and addressing any changes that affect the security of the ePHI. It is also required to create policies and procedures for facilitating compliance with HIPAA Rules and a training program for all members of its workforce and business associates.

SOURCE: Triple-S Resolution Agreement, November 30, 2015.

Visit our News Library to read more news stories.