The Department of Health and Human Services’ Office for Civil Rights has agreed a HIPAA violation fine of $3.5 million with Puerto Rico Blue Cross Blue Shield licensee Triple S Management Corporation.
This is the second HIPAA violation fine to be revealed in the space of a week, with the latest financial penalty coming soon after the $850,000 settlement between OCR and Lahey Hospital and Medical Center. The latest fine emphazies just how costly non-compliance can be.
Triple S Management Corporation was already hit with a HIPAA violation fine of $6.8 million by the Puerto Rico Health Insurance Administration for a failure to adhere with the Health Insurance Portability and Accountability Act’s Privacy Rule last year, although the HIPAA violation fine was lessened to $1.5 million on appeal.
The PRHIA fine was issued following the mailing of a pamphlet that showed the Medicare Health Insurance Claim Numbers of subscribers. The HIPAA violation fine corresponded to $500 for each of the 13,336 subscribers to the insurer’s Medicare and Medicaid beneficiaries.
The fine was issued to Triple S Management Corporation, on behalf of its subsidiaries Triple-S Salud Inc., Triple-C Inc. and Triple-S Advantage Inc., as a penalty for a variety of data breaches that had been suffered as a direct result of HIPAA-compliance failures. The Puerto Rico BCBS licensee agreed to settle over alleged HIPAA Privacy and Security Rule violations without accepting of liability.
Data breaches have been experienced by Triple S Management Corporation and its subsidiaries on at least 8 separate occasions since 2010, including five breaches in 2014.
The first data breach to be reported to the OCR happened in 2010, and involved the theft of PHI of 475,000 individuals. A number of employees of Triple-S left the company and gained employment for a rival insurance company; however, Triple-S failed to deactivate their database access rights after they left. This enabled the former employees to access the Protected Health Information of Triple-S subscribers, which they did for one week.
In 2013, 13,336 subscribers were affected by the mailing error. In 2014, four instances of theft of PHI were made known by Triple-S subsidiaries. Those data breaches affected a total of 419,706 people.
Two of the 2014 data breaches were experienced by Triple-C Inc., the largest of which exposed the PHI of 398,000 people. Triple-S Salud suffered three separate data breaches in 2014, including one that exposed the PHI of 56,853 individuals. This year, Triple S Advantage, Inc., reported a data breach that exposed 1,458 member records.
OCR carried out an investigation into the data breaches and discovered numerous potential HIPAA violations stemming from “widespread non-compliance” problems.
As was the case with Lahey Hospital and Medical Center, an accurate and complete risk assessment had not been conducted. In the case of Triple-S, the risk assessment did not review all systems, applications, and equipment that used or came into contact with ePHI.
OCR investigators also found multiple Security Rule violations including a lack of security measures to protect ePHI, and failures to implement administrative, physical, and technological controls to safeguard the privacy of its subscribers.
Following the $1.5 million Puerto Rico Health Insurance Administration fine, it was not explicit whether OCR would also issue a financial penalty. It has taken some time, but the settlement does appear to incorporate HIPAA failures which contributed to the cause of that breach. OCR cited the disclosure of more PHI than was necessary in order to carry out subscriber mailings. Investigators also found that on at least one occasion, PHI had been released to a business associate without Triple-S having first received a signed business associate agreement.
The HIPAA violation fine of $3.5 million is only part of the agreed settlement. Triple S Management Corporation has also been issued with a robust corrective action plan. The action plan requires Triple-S to implement a comprehensive HIPAA-compliance program. The insurer must also carry out a thorough risk assessment, develop a risk management plan, and train all employees on HIPAA Privacy, Security, and Breach Notification Rules. Training must also be provided to staff employed by its business associates.
The latest HIPAA violation fine is not the largest ever. In 2011, Cignet Health agreed to pay a HIPAA breach fine of $4.3 million to settle HIPAA Privacy Rule violations. Last year, New York-Presbyterian Hospital (NYPH) and Columbia University agreed to settle alleged HIPAA violations with OCR, and paid $4.8 million. 69% of that fine was paid by NYPH. The Triple S Management Corporation HIPAA penalty is the second largest HIPAA violation fine issued to one body.
A huge number of data breaches have been experienced by HIPAA-covered bodies in the past two years, yet enforcement efforts have been few and far between. OCR was recently criticized for its lack of enforcement – not for the first time – by the OIG, and a rise in financial penalties is expected.
Two settlements in one week should send a clear message to covered bodies that non-compliance is not an option, and that OCR is taking a stricter line on violators of HIPAA Rules. With the next round of HIPAA compliance audits due to start in the first quarter of 2016, covered bodies need to ensure that action is taken to address any areas of non-compliance that persist.
