On the heels of the Lahey Hospital and Medical Center resolution agreement, OCR announced a resolution agreement with Triple-S Management Corporation and its subsidiaries, Triple-S Salud Inc. and Triple-C Inc. (collectively “Triple-S”). As part of the announcement, Office for Civil Rights (OCR) Director Jocelyn Samuels flagged two specific areas for covered entities to focus their Health Insurance Portability and Accountability Act (HIPAA) compliance efforts: business associate agreements and minimum necessary use of protected health information (PHI).

The subsidiaries are covered entities or business associates as defined by HIPAA. OCR initiated its investigation of these entities following several separate reported breaches. In its resolution agreement, OCR identified the entities’ violations of HIPAA with the following conduct:

  1. Impermissibly disclosing the PHI of beneficiaries as a result of breach incidents;
  2. Failing to implement appropriate administrative, physical, and technical safeguards to protect the privacy of its beneficiaries’ PHI;
  3. Impermissibly disclosing its beneficiaries’ PHI to an outside vendor with which it did not have an appropriate business associate agreement;
  4. Disclosing more PHI than was necessary to accomplish the purpose for which it hired the outside vendor;
  5. Failing to conduct an accurate and thorough risk analysis that incorporates all IT equipment, applications, and data systems utilizing ePHI;
  6. Failing to implement security measures sufficient to reduce the risks and vulnerabilities to its ePHI to a reasonable and appropriate level; and
  7. Failing to implement procedures for terminating access to ePHI when the employment of a workforce member ends.

OCR reached a $3.5 million settlement amount with Triple-S and issued an extensive three-year corrective action plan (CAP). The CAP requires Triple-S to conduct a security risk analysis and implement a risk management plan, implement a process for evaluating environmental and operational changes, review and revise policies and procedures, and provide training to its workforce and business associates. The CAP also requires annual reports attesting to compliance with the CAP.

This resolution agreement and CAP continue to demonstrate OCR’s focus on security risk analyses and risk management plans. OCR has previously set forth guidance for covered entities and business associates on conducting risk analyses. As covered entities and business associates prepare their 2016 budgets and work plans, we recommend review and revision of these important items for HIPAA compliance.