Insurance holding company Triple-S, based in San Juan, Puerto Rico, will settle potential HIPAA violation allegations by paying HHS a $3.5 million fine.
According to Health Data Management, this is the second largest HIPAA fine, following the joint $4.8 million settlement NewYork-Presbyterian and Columbia University paid last year.
HHS' Office of Civil Rights started investigations into Triple-S after the payer reported multiple breach notifications. The OCR's investigations determined widespread noncompliance throughout Triple-S' subsidiaries, such as failing to implement appropriate safeguards to protect beneficiaries' protected health information, disclosing more PHI than necessary to carry out mailings and failing to conduct accurate and thorough risk analyses, among others.
"Triple-S is committed to protecting the privacy and security of its beneficiaries' health information and implementing the Corrective Action Plan entered into with OCR," said Ramon M. Ruiz, president and CEO of Triple-S Management Corp. "We are pleased with the agreement and regard it as an opportunity to strengthen our privacy policies. We have appreciated OCR's technical assistance to date, and look forward to our collaboration in the future."
More articles on HIPAA:
Health IT in 2015: 10 CIOs on the highs and lows
Lahey to pay $850k HIPAA settlement for 2011 data breach
What HIPAA doesn't cover