Insurance provider learns that lax HIPAA standards have costly results
It doesn’t take a giant patient privacy breach to catch the attention of federal regulators. Sometimes, a series of small failures can lead to huge penalties.
In 2015, the Office for Civil Rights (OCR) settled a case with a Puerto Rican health insurance provider for a whopping $3.5 million. The case received very little attention, but serves as an excellent example of the perils of poor compliance.
It’s also important to note that cooperating with investigators, while appreciated, does not necessarily provide protection from large monetary settlements. The only way to protect yourself from big payouts is to avoid the breach in the first place.
Investigation leads to discovery of multiple HIPAA Violations
After receiving several protected health information (PHI) breach notifications, OCR opened a Health Insurance Portability and Accountability Act (HIPAA) investigation into Triple-S Corporation and its subsidiaries. The firm offers a wide range of insurance products and services to residents of Puerto Rico.
The investigation found that Triple-S had failed to put in place a comprehensive HIPAA compliance program. Triple-S was found to have violated the HIPAA Privacy and Security Rules, which were designed to protect patient privacy.
The investigators found that Triple-S had also failed to perform a risk analysis and ensure business associate agreements were in-place and that only a minimal information was shared with those partners.
HIPAA failures include physical and technical deficiencies
The OCR noted in its findings that Triple-S had numerous failures including:
- Failure to implement appropriate administrative, physical, and technical safeguards to protect the privacy of its beneficiaries’ PHI;
- Impermissible disclosure of its beneficiaries’ PHI to an outside vendor with which it did not have an appropriate business associate agreement;
- Use or Disclosure of more PHI than was necessary to carry out mailings;
- Failure to conduct an accurate and thorough risk analysis that incorporates all IT equipment, applications, and data systems utilizing Electronic Protected Health Information (ePHI); and
- Failure to implement security measures sufficient to reduce the risks and vulnerabilities to its ePHI to a reasonable and appropriate level.
Investigators demand comprehensive HIPAA compliance program
The settlement requires TRIPLE-S to establish a comprehensive compliance program designed to protect the security, confidentiality, and integrity of the personal information it collects from its beneficiaries, that includes:
- A risk analysis and a risk management plan;
- A process to evaluate and address any environmental or operational changes that affect the security of the ePHI it holds;
- Policies and procedures to facilitate compliance with requirements of the HIPAA Rules; and
- A training program covering the requirements of the Privacy, Security, and Breach Notification Rules, intended to be used for all members of the workforce and business associates providing services on TRIPLE-S premises.
Investigators praised Triple-S for its cooperation during the investigation, going out of their way to note the company’s embrace of OCR technical assistance. Still, Triple-S paid a $3.5 million monetary settlement and agreed to undertake a lengthy corrective action plan.
What’s your HIPAA compliance profile?
Are your business associate agreements rock solid? Have you performed a HIPAA risk analysis in the past year? Are you sharing only the minimal necessary information with your industry partners and contractors? If you’re uncomfortable with these questions, we can help.