On February 18, Puerto Rican insurer Triple S Salud revealed that it will face a $6.8 million fine for violating the Health Insurance Portability and Accountability Act (“HIPAA”).  According to an 8-K filing submitted to the Securities and Exchange Commission (“SEC”), the Puerto Rico Health Insurance Administration notified Triple S on February 11, 2014, regarding its plans to sanction the insurer for HIPAA violations resulting from a 2013 breach of protected health information.  The Health Insurance Administration also plans to impose administrative sanctions on the insurer, including the suspension of new enrollments into one of its plans and the obligation to notify affected individuals of their right to disenroll.

The Puerto Rican government’s penalties are steep in comparison to previous fines for HIPAA violations.  The Office for Civil Rights (“OCR”) at the U.S. Department of Health and Human Services, which is the federal agency tasked with enforcing HIPAA, has only once issued a civil money penalty for a violation of the HIPAA Privacy Rule.  That fine was for $4.3 million in 2011.  OCR has also fined 14 regulated entities since 2009 through settlement agreements relating to HIPAA violations.  These settlements required payments ranging from $35,000 to $1.7 million. It is not clear whether OCR will also take action against Triple S.  An OCR spokeswoman stated that the agency’s investigation into the breach is still open.

The breach in question occurred on September 20, 2013 when Triple S mailed a pamphlet displaying the Medicare Health Insurance Claim Number (“HICN”) of approximately 70,000 of its Medicare Advantage beneficiaries.  The HICN is a unique government identifier for each Medicare beneficiary, and is considered protected health information under HIPAA when held by or on behalf of a HIPAA covered entity.  In response to the breach, Triple S investigated and reported the incident to Puerto Rican and federal government agencies, issued a breach notification through the local media, notified all affected beneficiaries by mail, and offered twelve months of free credit monitoring and identity protection to affected beneficiaries.  However, the Puerto Rico Health Insurance Administration found that Triple S failed to meet HIPAA requirements in response to the breach, and therefore levied a contractual fine against the insurer.

The fine specifically accounts for the 13,336 beneficiaries enrolled in the company’s Dual Eligible Medicare plan who were affected by the breach.  This plan covers older, low-income individuals who are eligible for both Medicare and Medicaid.  The contract between Triple S and the Puerto Rico Health Insurance Administration allows the agency to fine the company for HIPAA violations.  According to Rivera Cardona, the executive director of the Puerto Rico Health Insurance Administration, the contractual fines may range from $500 to $100,000 for each member of the Dual Eligible Medicare plan, which allows for substantially higher fines than the maximum sanctions allowed under HIPAA.  In this case, the expected fines will amount to $500 for each of the 13,336 Dual Eligible Medicare beneficiaries affected by the breach, plus another $100,000 for Triple S’ failure to cooperate with the Puerto Rico Health Insurance Administration investigation into the breach.