Another HIPAA violation fine has just been settled. The amount is staggering to say the least. As of today, the Health and Human Services Department (HHS) agreed to a $3.5 million settlement with Triple-S Management Corporation for HIPAA violations.
Triple-S Management Corporation, an insurance holding company based out of San Juan, Puerto Rico offers a variety of insurance products and services through its subsidiaries. These subsidiaries include Triple-Salud Inc., Triple-C Inc., Triple-S Advantage Inc. (aka American Health Medicare Inc.). The large HIPAA fine resulted from an OCR initiated investigation.
The Office of Civil Rights (OCR) investigated Triple-S, after multiple breach notifications involving unsecured PHI. The results of OCR’s investigation was incredibly disturbing. OCR’s investigation showed that Triple-S had rampant and widespread non-compliance issues. The results of the investigations include:
- Failure to implement physical, technical, and administrative safeguards to PHIs
- Impermissible disclosure of PHI
- Use of more PHI than necessary to accomplish tasks
- Failure to perform a risk analysis to assess vulnerabilities
- Failure to implement security measures to reduce risks and vulnerabilities of PHIs
With the help of OCR, Triple-S has already undertaken the necessary changes that the OCR recommended. The changes include performing a risk analysis and risk management plan. Evaluating and addressing the environmental or operational conditions that affect the security of the PHIs. Training its workforce on the different aspects of HIPAA. Triple-S hopes that these changes will shore up its vulnerabilities and prevent future incidents.
However, one must ask is it already too late? Many people know that once healthcare data is leaked, it is incredibly difficult to fix and this type of data is extremely valuable on the black market.