Introduction to Health Informatics (HIM 6118)
UNIT REPORT 1
Submitted by George McGee, MD
March 16, 2016
Subject: Triple-S Management Corporation HIPAA Violation Settlement Agreement and Fine
On November 30, 2015, the U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) announced that Triple-S Management Corporation, a Puerto Rico-based insurance holding company that is also a Blue Cross Blue Shield licensee, had agreed to pay $3.5 million to settle potential HIPAA (Health Insurance Portability and Accountability Act of 1996) Privacy and Security Rules violations (HHS, 2015a). In addition to the fine, the company adopted a detailed plan to correct deficiencies in its HIPAA compliance program. The fine, which at the time was the second largest HIPAA violation fine issued to one organization, resulted from OCR investigative findings indicating multiple HIPAA-compliance failures. In 2014, the company had been fined $6.8 million by the Puerto Rico Health Insurance Administration for HIPAA violations, though that fine was reduced to $1.5 million on appeal (hipaajournal, 2015)
Numerous data breaches reported by Triple-S since 2010 had prompted OCR’s investigation. According to the hhs.gov website (HHS, 2015b), the HIPAA compliance issues that have prompted the most OCR investigations overall are (in order of frequency):
1. Impermissible uses and disclosures of electronic Protected Health Information (PHI);
2. Lack of safeguards of PHI;
3. Lack of patient access to their PHI;
4. Lack of administrative, physical, and technical safeguards to protect PHI; and
5. Use or disclosure of more than the minimum necessary protected health information (e.g., for mailings).
The results of the OCR investigation of Triple-S (HHS, 2015c) concluded non-compliance with issues 1, 2, 4, and 5 in the above list.
One focus of the OCR investigation was an initial data breach in 2010 involving the theft of PHI of almost a half million Triple-S subscribers. Several employees of Triple-S left the company and began working for a competitor. Triple-S failed to terminate the database access of those individuals when they left the company, and those former employees were able to access and download PHI of 475,000 individuals. This demonstrated both lack of safeguards of PHI as well as a failure to implement security measures sufficient to reduce risks and vulnerabilities to the PHI.
A second HIPAA issue investigated by the OCR involved two different mailings (several months apart) of pamphlets that listed names, addresses, and the Health Insurance Claim Numbers (HICN) of subscribers on the outside of the pamphlet, affecting over 13,000 subscribers. The first instance of this violation was the basis of the above-mentioned fine issued by the Puerto Rico Health Insurance Administration. The vendor for the company that sent out these mailings did not have a Business Associate Agreement in place. The investigation pointed to non-compliance in two areas, unauthorized disclosure of PHI by Triple-S to the vendor without appropriate business associate agreements, as well as disclosure and use of more than the minimum necessary eHPI to accomplish the mailings.
A third investigative focus involved a former employee who copied beneficiary PHI, onto a CD which he took home and later downloaded onto a computer at his new employer. The PHI included subscribers’ names, addresses, dates of birth, Social Security numbers, HICN and contract numbers. Once again, OCR found that Triple-S had lack of safeguards of PHI and a failure to implement security measures to reduce risks and vulnerabilities of the PHI.
A fourth focus of the investigation involved unauthorized disclosure of subscribers’ names, ID numbers, enrollment information including benefit packages, effective dates, co-payments, and deductibles when enrollment staff placed incorrect subscriber ID cards in mailing envelopes resulting in members receiving the ID cards of other subscribers. Two other mailings in the span of a few months involved unauthorized disclosure of PHI, in one case related to impermissible PHI disclosure on mailing labels and another case where letters sent to subscribers had PHI of other subscribers, including other subscribers’ names and addresses, and listings of preventive tests to be performed by the other subscriber’s doctor.
The settlement agreement between Triple-S and HHS/OCR (HHS, 2015c) stipulated a $3.5 million payment to HHS by Triple-S. The resolution agreement includes language, apparently standard for these type settlement agreements between covered entities and HHS/OCR, stating that “This agreement is not an admission, concession, or evidence of liability by TRIPLE-S or of any fact or any violation of any law, rule, or regulation, including any violation of the HIPAA Rules” (Section 3), as well as “This Agreement is not a concession by HHS that TRIPLE-S is not in violation of the HIPAA Rules and not liable to civil money penalties” (Section 4).
After reading the investigative findings of OC (HHS, 2015c), one can compile a list of several actions that, if implemented by Triple-S prior to 2010, might have prevented some of the specific violations. Strict control of access to PHI, including prompt removal of such access from individuals as soon as they ended their employment with Triple-S, creation of a mechanism of review and oversight of outgoing data to insure its accuracy and minimizing clerical errors, and development and enforcement of strict policies regarding how and where PHI data should be stored are three initiatives that might have allowed Triple-S to maintain HIPAA compliance, and thus could have avoided an OCR investigation and the penalties that ensued..
Perhaps the best description of what Triple-S could have done to prevent the HIPAA non-compliance and the resulting penalties is found in the language of the “Corrective Action Plan” of the agreement (Appendix A: Corrective Action Plan Between The Department of Health and Human Services and Triple-S, HHS, 2015c). The first corrective action obligation listed in the agreement required Triple-S:
“to conduct and complete an accurate, thorough, enterprise-wide risk analysis of security risks and vulnerabilities that incorporates all electronic equipment, data systems, programs and applications controlled, administered, owned, or shared by Triple-S or its affiliates that contain, store, transmit or receive Triple-S PHI. As part of this process, Triple-S shall develop a complete inventory of all electronic equipment, data systems, and applications that contain or store PHI which will then be incorporated in its Risk Analysis.”
Triple-S was instructed to use the results of the risk analysis to develop a risk management plan to address and mitigate any security risk or vulnerabilities identified. The agreement required Triple-S to submit the plan to HHS for review to approve and/or to make recommendations for changes that would have to be incorporated into the plan. The finalized plan would then be distributed to the workforce members charged with its implementation. Additionally, Triple-S agreed to annually review and update the plan to identify and address potential risks and vulnerabilities to the “confidentiality, integrity, and availability of PHI held by Triple-S and Triple-S Business Associates” to reduce the identified risks and vulnerabilities “to a reasonable and appropriate level” (HHS, 2015c).
Triple-S was required to incorporate the risk management plan into its corporate policies and procedures, and ensure that these new measures were distributed to all of their workforce and business associates, as well as insuring that the information would be made available to all future new hires The organization also agreed to develop a training program covering the Privacy, Security, and Breach Notification Rules that would be used for all of its workforce members and business associates providing services on Triple-S premises. An annual compliance certification would be required from each individual in order to be granted access to PHI.
In summary, Triple-S could have significantly reduced its risk of HIPAA non-compliance by conducting a thorough risk analysis of security risks and its vulnerabilities with regard to HIPAA Privacy and Security Rules compliance and carrying out a correctional action plan soon after the rules were formulated and published. Regular on-going reviews should have been done to insure compliance with any new or revised rules related to HIPAA and to identify any areas of risk with implementation of specific corrective actions.
Reducing risks of HIPAA non-compliance should be a major focus for each HIPAA- covered entity (Davis, 2011). HHS and OCR have signaled that HIPAA non-compliance is not an option, and that covered entities can anticipate increased enforcement activities over the next year (hipaajournal.com, 2015). A review of OCR investigations demonstrates a correlation between PHI data breaches and failure or absence of an adequate data security risk assessment. An on-going, comprehensive data security risk analysis allows development of an implementation plan of corrective actions that deals with known risks, identifying and developing strategies to deal with new, emerging risks as well as addressing changes to the rules of compliance. Those activities combined with empowerment of the workforce and business associates of the entity with the knowledge to identify potential data breach and security risks for PHI should give the organization the tools needed to achieve and maintain voluntary HIPAA compliance.
.
References
Davis,Jessica. “Triple-S Management pays $3.5 million over HIPAA violations, poor patient protections”. Healthcare Finance News. December 7, 2015. Web. Retrieved March 15, 2016 from http://www.healthcarefinancenews.com/news/triple-s-management-settles-hipaa-violation-35-million
Department of Health and Human Services (HHS). (2015a). News release. “Triple-S Management Corporation Settles HHS Charges by Agreeing to $3.5 Million HIPAA Settlement”. November 30, 2015. Retrieved March 15, 2016 from http://www.hhs.gov/about/news/2015/11/30/triple-s-management-corporation-settles-hhs-charges.html.
Department of Health and Human Services (HHS). (2015,b). “Health Information Privacy: Top Five Issues in investigated Cases Closed with Corrective Action, by Calendar Year”. Retrieved March 16, 2015 from http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/data/top-five-issues-investigated-cases-closed-corrective-action-calendar-year/index.html.
Department of Health and Human Services (HHS). (2015c). Retrieved March 15, 2016, from http://www.hhs.gov/sites/default/files/Triple-S%20-%20OCR%20Resolution%20Agreement%20and%20Corrective%20Action%20Plan%20in%20Final%20%28508%29.pdf
FisherBroyles., LLP. “Triple-S Management Corporation Agrees to $3.5 Million Settlement”. 2015. Retrieved March 16, 2016 from https://www.fisherbroyles.com/triple-s-management-corporation-agrees-to-3-5-million-hipaa-settlement/
HIPAA Journal. “HIPAA Violation Fine of $3.5 million for Triple-S”. Dec. 2, 2015. Retrieved March 15, 2016, from http://www.hipaajournal.com/hipaa-violation-fine-3-5-million-triple-s-8197/
Hunton & Williams LLP. “Triple-S Management Corporation Enters into $3.5 million HIPAA Settlement”. December 3, 2015. Retrieved March 16, 2016 from https://www.huntonprivacyblog.com/2015/12/03/triple-s-management-corporation-enters-into-3-5-million-hipaa-settlement/
“Millions of Dollars in Privacy Violations are Wake-Up Call for Healthcare Industry; Experts Share Insight About What’s Ahead”. PRNewswire. April5, 2011. Retrieved March 14, 2016 from http://www.prnewswire.com/news-releases/millions-of-dollars-in-privacy-violations-are-wake-up-call-for-healthcare-industry-experts-share-insight-about-whats-ahead