TRIPLE-S Management Corporation (TRIPLE-S), an insurance holding company, formerly known as American Health Medicare Inc. TRIPLE-S based in San Juan, Puerto Rico, dealing with wide range of insurance products and services to residents of Puerto Rico through its subsidiaries such as Triple-S Salud Inc., Triple-C Inc. and Triple-S Advantage Inc., has agreed to set imminent violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules with the U.S. Department of Health and Human Services, Office for Civil Rights (OCR).
TRIPLE-S has extended full cooperation with HHS in investigating this case and has agreed to put in place a comprehensive HIPAA compliance program as a condition for settlement.
On investigations, widespread non-compliance throughout the various subsidiaries of Triple-S were specified. These are:
a). Failure to implement appropriate administrative, physical, and technical safeguards to protect the privacy of its beneficiaries’ PHI;
b). Impermissible disclosure of its beneficiaries’ PHI to an outside vendor with which it did not have an appropriate business associate agreement;
c). Use or Disclosure of more PHI than was necessary to carry out mailings;
d). Failure to conduct an accurate and thorough risk analysis that incorporates all IT equipment, applications, and data systems utilizing ePHI; and
e). Failure to implement security measures sufficient to reduce the risks and vulnerabilities to its ePHI to a reasonable and appropriate level.by fully cooperated with HHS in investigating this case and has agreed to put in place a comprehensive HIPAA compliance program as a condition for settlement.
On account of these breaches, TRIPLE-S was fined $3.5 million. Further it will adopt a robust corrective action plan to correct deficiencies in its HIPAA compliance program.
It was noticed that TRIPLE-S has already started the corrective actions as required by the Corrective Action Plan through the technical assistance of OCR. It will continue to work with OCR to come into compliance with HIPAA.
The Resolution Agreement and Corrective Action Plan can be found here