Insurance company slapped with $3.5M fine for widespread HIPAA violations
Beth Walsh | December 08, 2015 | Health Exec | Cybersecurity

Another organization has been hit with a big fine for HIPAA violations.

Triple-S Management Corporation has agreed to settle potential HIPAA violations with the Department of Health and Human Services' (HHS) Office of Civil Rights (OCR) by paying $3.5 million, after repeatedly failing to put safeguards in place for its beneficiaries' protected health information (PHI).

The settlement includes a robust corrective action plan for the San Juan, P.R.-based insurance holding company, which already is in place.

"OCR remains committed to strong enforcement of the HIPAA Rules," OCR Director Jocelyn Samuels, said in a release. "This case sends an important message for HIPAA-covered entities, not only about compliance with the requirements of the security rule, including risk analysis, but compliance with the requirements of the privacy rule, including those addressing business associate agreements and the minimum necessary use of protected health information."

HHS received multiple breach notifications from Triple-S about unsecured PHI, according to OCR, which then investigated the organization's HIPAA compliance. OCR found widespread non-compliance throughout Triple-S and its subsidiaries.

The investigated revealed a laundry list of problems, such as failure to implement appropriate administrative, physical and technical safeguards to protect beneficiaries' PHI privacy; impermissible disclosure of beneficiaries' PHI to outside vendors without appropriate business associate agreements; use or disclosure of more PHI than necessary for mailings; failure to conduct accurate and thorough risk analysis; failure to implement security measures sufficient to reduce risks and vulnerabilities.

Triple-S fully cooperated with the HHS investigation and agreed to instate a comprehensive HIPAA compliance program, a condition of the settlement. 

To obtain good-standing, Triple-S must create a risk analysis and risk management plan; a process to evaluate and address environmental or operational changes affecting PHI security; policies and procedures to facilitate HIPAA compliance and a training program for all TRIPLE-S workforce and business associates.

Beth Walsh,

Editor

Editor Beth earned a bachelor’s degree in journalism and master’s in health communication. She has worked in hospital, academic and publishing settings over the past 20 years. Beth joined TriMed in 2005, as editor of CMIO and Clinical Innovation + Technology. When not covering all things related to health IT, she spends time with her husband and three children.

Related Content

Six hospital groups urge UnitedHealth to take responsibility for Change Healthcare hack notifications
Ascension experiences disruption of operations after 'cybersecurity event'
AMA says Change Healthcare breach is crippling independent practices
Breached Change Healthcare server lacked multifactor authentication, UnitedHealth CEO admits
Kaiser Permanente exposed data on 13.4 million members to tech companies
Hackers were inside Change Healthcare’s systems 9 days before attack

Design by Adaptive Theme
Trimed Popup
Trimed Popup