The Department of Health and Human Services’ Office for Civil Rights (OCR) has announced that an insurance company based in Puerto Rico will pay the second-largest HIPAA settlement in the history of enforcement of the law. Triple-S Management Corporation agreed to pay $3.5 million and implement a rigorous HIPAA compliance program after an OCR investigation found multiple HIPAA violations. The settlement amount is close to the largest HIPAA fine ever assessed by OCR, when New York Presbyterian Hospital and Columbia University were fined $4.8 million in 2014 following a PHI breach.

The resolution agreement explains the HIPAA violations and the actions Triple-S must take going forward. Triple-S failed to put business associate agreements in place with outside vendors, failed to protect paper and electronic PHI, failed to conduct a risk analysis regarding electronic PHI, and failed to ensure that the minimum necessary amount of PHI was disclosed to carry about business operations. These failures led to multiple breaches of PHI, including an incident where former Triple-S employees working for a competitor were able to access Triple-S’s database because Triple-S never terminated the employees’ access, an incident in which a former employee burned PHI onto a CD and gave the PHI to a competitor, and multiple incidents in which a business associate breached PHI by printing PHI on the outside of paper mailings sent to members. The required HIPAA compliance program must include risk analysis, policies and procedures, and HIPAA training for all employees and business associates.

Covered entities should ensure that all business associates are covered by appropriate legal agreements and that business associates are working in compliance with HIPAA. OCR has indicated that HIPAA audits of both covered entities and business associates are coming in 2016.