OCR Levies Largest Insurer HIPAA Penalty: $3.5 Million Penalty Plus Corrective Plan for Puerto Rico Health Plan

Dec 4, 2015 | Blog

The Office of Civil Rights (OCR) of the U.S. Department of Health and Human Services has served notice that it will scrutinize health insurers’ compliance with health information privacy and security safeguard requirements to the same extent or perhaps more critically than it does with healthcare providers. On Nov. 30, 2015, OCR announced a settlement with Triple-S Management Corporation (Triple-S), on behalf of wholly-owned subsidiaries Triple-C Inc. and Triple-S Advantage, formerly known as American Health Medicare, Inc., for $3.5 million. This is the largest HIPAA penalty against a health plan to date. In addition to the penalty, Triple-S must adopt a comprehensive corrective plan and report annually to OCR on the status of implementation of that plan.

OCR wrote in the Resolution Agreement that, in 2010, access rights to the network were not terminated for two former employees upon leaving employment. The former employees then accessed the database containing such protected health information of more than 500 subscribers, including members’ names, contact information, and diagnostic and treatment codes and disclosed that information to a competitor. OCR found that the insurer did not have adequate privacy or security safeguards, including a process for terminating departing employees’ network access In addition, OCR found that Triple-S had not performed a risk analysis and did not have a protocol in place for adequately responding to or reporting breaches.

The true cost of this breach will be much higher than the amount of the penalty because the insurer must implement and adhere to a Corrective Plan, which will comprise preparation of adequate privacy and security protocols, training on those protocols, performance of a Security Risk Analysis and implementation of a Risk Analysis Plan, as well as implementation of processes for reporting breaches and submission of these protocols for OCR approval.  The company must also report to the OCR annually on its compliance with the Corrective Plan. This will entail significant legal and consultants’ fees.

The above scenario is likely to be repeated several times in 2016. Many small to mid-size (and larger) health insurers are out of compliance due to outmoded privacy and security policies (many not revisited since the Omnibus Rule changed the security landscape in 2013) and failure to periodically assess their technical risk exposures. Given the plethora of cyber-attacks and breaches due to employee negligence that we have seen in 2015, the question for these insurers in 2016 is whether their protocols can withstand OCR inspection when (not if) they experience a breach.

Please contact Kenneth N. Rashbaum with any questions concerning HIPAA compliance for health plans and insurers.