Puerto Rico Levies $6.8M Fine on Insurer for HIPAA Violations
February 25, 2014 in News
On Tuesday, health insurer Triple-S Management announced that the Puerto Rico Health Insurance Administration intends to impose a $6.8 million fine on the company over a security breach at the insurer’s subsidiary, Triple-S Salud, the Wall Street Journal reports (Prior, Wall Street Journal, 2/18).
According to Health Data Management, the fine is not related to HHS’ Office for Civil Rights, which has enforcement authority over HIPAA Privacy and Security Rules. However, the fine is larger than any imposed for HIPAA violations by OCR (Goedert, Health Data Management, 2/21).
In documents filed with the Securities and Exchange Commission, Triple-S Management said the fine stemmed from an incident that occurred on Sept. 20, 2013. At that time, Triple-S Salud inadvertently mailed a pamphlet that included beneficiaries’ Medicare health insurance claim number to 13,336 of its dual-eligible beneficiaries — individuals eligible for both Medicaid and Medicare.
According to the documents, Triple-S immediately investigated the incident and reported it to the appropriate government agencies. The company also:
- Released a breach notification to local media;
- Notified all affected beneficiaries; and
- Offered a year of identity protection and credit monitoring through a third-party provider to all individuals who were affected by the breach.
Details of Fine
Ricardo Rivera Cardona — executive director of the Puerto Rico Health Insurance Administration, or ASES — said that the $6.8 million fine represents a fine of $500 per affected individual, as well as an additional $100,000 penalty because Triple S failed to cooperate with the administration’s investigation.
Rivera Cardona said the fine falls within HIPAA violation penalties outlined in ASES’ contract with Triple-S. In addition to the fine, ASES is calling for Triple-S to:
- Suspend enrollment of dual-eligible beneficiaries;
- Notify all affected individuals of their right to end their enrollment; and
- Implement a corrective action plan from ASES to prevent future breaches.
According to GovInfoSecurity, Triple-S has until March 13 to request an administrative hearing on the fine, which could result in the fine being maintained or reduced (Kolbasuk McGee, GovInfoSecurity, 2/19).