Health Plan Pays $ 10.3 million in HIPAA Penalties

Dumb & DumberThe HIPAA enforcement agency announced on November 30, 2015 that Triple-S Management of Puerto Rico settled for $ 3.5 million in penalties for SEVEN HIPAA data breaches going back to 2010. Yes, SEVEN.

This is on top of a $ 6.8 million penalty the Puerto Rico Health Insurance Administration issued in early 2014. Included in that penalty was $ 100,000 for failure to cooperate with the insurance administration’s investigation.

So far the health plan’s lack of compliance has cost them $ 10.3 million in penalties, plus all the costs to notify health plan members, pay for credit monitoring, legal fees, damage to brand and reputation, and lost business.

Each of these breaches would have been easily preventable, but Triple-S Management probably had deluded themselves into believing they were HIPAA compliant.

The US Department of Health & Human Services (HHS) Office for Civil Rights (OCR) announced that Triple-S Management had reported the following data breaches, each of over 500 individuals:

  • November 12, 2010 – former employees improperly accessed the company database because their access rights were not terminated when they left the company
  • November 8, 2013 – vendor disclosed Protected Health Information (PHI) on the outside of pamphlets mailed to health plan beneficiaries. No Business Associate Agreement was in place with the vendor.
  • April 2, 2014 – two Triple-S plans reported that a former employee had copied health plan member PHI onto a CD that he used to download the member information onto a computer at his new employer.
  • May 18, 2014 – vendor placed PHI on the outside of pamphlets sent to beneficiaries of a different Triple‑S health plan. No Business Associate Agreement was in place with that vendor. Same type of breach that occurred six months earlier.
  • March 31, 2015 – enrollment staff placed incorrect ID cards in mailings, resulting in beneficiaries receiving the member ID card of another individual.

These breaches each affected under 500 individuals –

  • February 27, 2015 – health plan ID numbers (PHI) were included on mailing labels
  • August 13, 2015 – a preventative mailing was sent to beneficiaries that included PHI for another member on the back of the member’s letter.

Seven breaches. Some more than once. Over 5 years. Are you laughing or shaking your head in disbelief?

Triple-S Management likely approached HIPAA as a compliance exercise, and completely failed – multiple times – to implement effective controls and processes to protect its health plan members.

My experience tells me that- like many other organizations – they probably had a HIPAA policy binder they could show in case of an audit, that their staff was self-taught, they had done their own risk analysis, and believed no one would ever catch them.

Beware of do-it-yourself compliance guides, websites, and checklists. You can make yourself look so good on the surface when everything below is really ugly. In 2014 the FBI warned healthcare organizations that the greatest vulnerability to the security of their data was their own belief that their data was secure, when the FBI’s facts proved otherwise.

Shocked

You can tell yourself, and everyone else, that you are compliant. But are you really?

SurprisedFemaleDoctorlOur new clients that start out thinking they are compliant are shocked to see evidence that they do not have the required combination of written policies, documented procedures, and believable evidence to prove they are really doing what it takes.

They are shocked because they think HIPAA is a short-term project, not a sustainable culture they must instill every day.

They are shocked when they do have policies and training records, and we show them their own policies and training are not being followed.

They are shocked to realize that recent problems should have been reported and patients should have been notified. They thought that they have not had any reportable incidents, which means they weren't really looking or weren't following the laws requiring notification and reporting.

Size and resources don’t always matter. We have worked with organizations that have invested millions of dollars for data security tools only to be shocked that they missed users that posted their passwords at their computers.

It is difficult to ensure consistent adherence to the regulations across an organization’s workforce, when you consider the wide range of potential mistakes that you must prevent or catch before they get out and cause an expensive and embarrassing data breach.

Preventing breaches takes a lot of work and diligence after building a compliance program. How hard are you looking at your (seemingly) simple processes to make sure people aren't making mistakes. How much quality control do you build into the little things?

It’s why everyone needs to need to look at Triple-S and wonder if any- or all - of those mistakes could happen to them.

It’s why everyone should thank Triple-S for becoming the $ 10.3 million poster child for HIPAA blunders, because they made you take a fresh look at what you are really doing.

There are 10.3 million reasons you don’t want to be starring in the sequel.