HHS recently agreed to a $3.5 million resolution with business associates and covered entities for numerous violations of the Privacy, Breach Notification, and Security Rules of the Health Insurance Portability and Accountability Act (HIPAA). Triple S, as the parties are collectively known, seemed to miss the regulatory ball in a few ways, like protected health information being printed on marketing materials and mailing labels, former employees having access to the information, and people receiving the insurance ID cards of others in the mail.

As a result of these violations, HHS not only came to the resolution agreement with Triple S but is also holding its hand through what could be a lengthy and expensive (for Triple S) corrective action process. Triple S has been ordered to conduct risk analyses, and develop processes and policies on a relatively tight deadline for HHS’ review and validation. HHS retained the ability to make changes to these processes and policies before Triple S is able to train its workforce (the materials for which HHS will review) and implement the procedures. Triple S also has to report on its progress annually to HHS.

HHS’ investigation and actions against Triple S are seen by many as the latest step by OCR in its continually stronger HIPAA enforcement. Covered entities and business associates should carefully review their HIPAA policies and procedures to ensure that they exist and are compliant with the HIPAA rules. Prudent organizations may also want to perform an internal audit to ensure that their workforce actually follows the directions, and to stress the importance of following these rules.