Triple-S, an insurance holding company and subsidiary of Triple-S Management Corporation, was notified by the Puerto Rican Health Insurance Administration (“HIA”) that HIA would pursue penalties against Triple-S for its alleged failure to properly respond to a breach of protected health information (“PHI”) involving 13,336 Dual Eligible Medicare enrollees (enrollees also eligible for Medicaid). Though Triple-S stated that it had complied with its breach response requirements, including complying with requests from HIA, HIA is still seeking over $6.8 million dollars in penalties against Triple-S for its breach response. Aside from monetary penalties, the sanctions include the suspension of new Dual Eligible Medicare enrollments and impose a duty on Triple-S to notify affected individuals of their right to disenroll.
The breach arose from a September 20, 2013 incident in which a Triple-S mailing to 70,000 Medicare Advantage beneficiaries mistakenly included beneficiaries’ unique claim numbers, considered to be PHI under the Health Insurance Portability and Accountability Act (“HIPAA”). Triple-S investigated the breach and provided notices to individuals, the government, and the media as required by the Health Information Technology for Economic and Clinical Health Act (“HITECH”). Triple-S also provided individuals with a contact number to voice concerns and offered free credit reporting services to affected individuals. So what went wrong? Though HIA has yet to comment on the deficiencies for which it is seeking penalties, Triple-S’s predicament provides an opportunity to discuss appropriate breach responses under HIPAA and HITECH.
Investigation—The first step in responding to a breach of PHI is investigating the breach and identifying who was affected, what information was accessed, and how such access was achieved.
Notification—For breaches involving information of more than 500 people, which was the case for Triple-S, a health care entity must notify affected individuals, notify the Secretary of the Department of Health and Human Services, and notify prominent media outlets serving the state or jurisdiction, all without unreasonable delay and in no case later than 60 days after the discovery of breach. (Note: There are separate requirements where a breach involved information of fewer than 500 people).
Remedial Measures—In addition to investigative and notification duties, health care entities should also take steps to remedy the causes of the breach and to lessen any harm caused by the breach. These steps can include:
The above list is meant only for illustration purposes and is not exhaustive. When faced with the possibility of a potential breach of protected health information, you should consult with an experienced health care attorney for advice related to individual circumstances.
The Health Law Gurus™ will continue to follow news about HIPAA breaches and sanctions.
We encourage you to share your thoughts and opinions about HIPAA breaches and sanctions with us and our readers in the comments section below.
To view the Triple-S Securities and Exchange Commission filing regarding HIA’s imposition of penalties, click here.
Lawrence is the Chair for Obermayer’s Health Care Law Department and Election Law Practice Group. Lawrence’s Health Care Law legal experience includes the representation of Pennsylvania County governments in Behavioral Health Managed...
Read More by Author
