Triple-S Management Corporation recently settled with the federal government for $3.5 million to address its potential violations of the Health Insurance Portability and Accountability Act (HIPAA). The Office for Civil Rights (OCR) investigated Triple-S and its subsidiaries (Triple-S) as Triple-S reported seven separate breaches of protected health information (PHI) over a five-year period. While Triple-S did not admit to any violations of law in the settlement agreement, OCR noted Triple-S failed to comply with at least seven HIPAA requirements.

As with other recent OCR settlements, Triple-S was cited for its failure to conduct an accurate and thorough risk analysis. OCR also highlighted Triple-S’s failure to implement a risk management plan to reduce risks and vulnerabilities to electronic PHI. Of note, OCR cited Triple-S for its failure to implement business associate agreements with its vendors prior to disclosing PHI to them.  

Triple-S also agreed to a corrective action plan that obliges it to conduct a risk analysis, implement a risk management plan, and develop HIPAA-compliant policies and procedures. OCR will monitor Triple-S’s HIPAA compliance for three years.

TIP: This is OCR’s second largest settlement to date and may signal the agency’s intention to ramp up its enforcement efforts. Businesses subject to the HIPAA rules should review their compliance measures, especially given the roll-out of OCR’s long-awaited audit program in 2016.