Triple-S Management Corporation, the Blue Cross and Blue Shield licensee in Puerto Rico, has agreed to complete a HIPAA compliance corrective action program and pay a $3.5 million fine to the HHS Office for Civil Rights following multiple breaches of protected health information.

The fine is the second largest levied against organizations that OCR believes substantially ignored HIPAA. The largest fine imposed to date by OCR is $4.8 million with New York-Presbyterian Hospital paying $3.3 million and Columbia University paying $1.5 million after the PHI of 6,800 individuals was inadvertently made accessible on Internet search engines.

In the fall of 2010, employees of a competitor of Triple-S on multiple occasions during a 7-day period downloaded PHI on 398,000 Blues members into the competitor’s information systems by using active user IDs and passwords specific to Triple-S’ database. The employees of the competitor previously worked at Triple-S and their access rights had not been terminated upon leaving. The competitor upon learning of the breach informed Triple-S.

On at least six other occasions from November 2013 to August 2015, Triple-S reported to OCR breaches that occurred when PHI, including names, address and health insurance claim numbers were printed on the outside of pamphlets mailed to beneficiaries.

Also See: Lahey Hospital Fined $850K for HIPAA Violations

Now, Triple-S has agreed to the financial settlement, development of an OCR-prescribed risk analysis and risk management plan, programs to access environmental or operational changes that affect the security of electronic PHI, and a full HIPAA training program for all Triple-S employees and business associates.

“Triple-S is committed to protecting the privacy and security of its beneficiaries’ health information and implementing the corrective action plan entered into with OCR,” Ramon Ruiz, president and CEO, said in a statement. “We are pleased with the agreement and regard it as an opportunity to strengthen our privacy policies. We have appreciated OCR’s technical assistance to date, and look forward to our collaboration in the future.”

The Triple-S resolution agreement is available here.

Register or login for access to this item and much more

All Health Data Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access