e-mail Print Share

Insurance holding company, hospital settle HHS charges for HIPAA violations

December 08, 2015

By Jennifer Garvin

Washington — An insurance holding company has agreed to pay a $3.5 million settlement for potential violations of the Health Insurance Portability and Accountability Act according to a Nov. 30 release from the U.S. Department of Health & Human Services Office for Civil Rights.

In a second HIPAA-related settlement, a Massachusetts hospital has agreed to pay $850,000 for potential violations, after the reported theft of a laptop used to operate a medical device triggered an OCR investigation.

The Office for Civil Rights said it investigated Triple-S Management Corporation and its subsidiaries after receiving "multiple breach notifications" from the company involving unsecured protected health information, according to an OCR press release. Lahey Hospital and Medical Center's alleged violations occurred after a laptop was stolen from an unlocked treatment room. In both cases, OCR alleged that parties "failed to conduct an accurate and thorough risk analysis."

Triple-S' alleged non-compliance with HIPAA rules also included:
  • Failure to implement appropriate administrative, physical, and technical safeguards to protect the privacy of its beneficiaries' protected health information;
  • Impermissible disclosure of its beneficiaries' protected health information to an outside vendor with which it did not have an appropriate business associate agreement;
  • Use or disclosure of more protected health information than was necessary to carry out mailings;
  • Failure to conduct an accurate and thorough risk analysis that incorporates all IT equipment, applications, and data systems utilizing electronic protected health information;
  • Failure to implement security measures sufficient to reduce the risks and vulnerabilities to its electronic protected health information to a reasonable and appropriate level.
In the Lahey matter, the hospital notified OCR in 2011 about the stolen laptop, which was used to operate a portable CT scanner and which contained the protected health information of 599 individuals. According to the release, the investigation indicated widespread non-compliance with HIPAA rules, including the following failures related to the workstation where the laptop was located: failure to physically safeguard the workstation, lack of a unique user name for identifying and tracking user identity, and failure to implement procedures that recorded and examined activity in the workstation. In addition, OCR alleged failure to implement and maintain policies and procedures regarding the safeguarding of protected health information maintained on work stations utilized in connection with diagnostic/laboratory equipment.

In addition to their monetary settlements, both Triple-S and Lahey agreed to adopt robust corrective action plans to correct deficiencies in their HIPAA compliance programs, including conducting risk analyses and developing risk management plans, as well as undertake additional obligations such as the development or revision of policies and procedures and workforce training.

Triple-S Management Corporation is an insurance holding company based in San Juan, Puerto Rico that was previously known as American Health Medicare Inc. Lahey is a nonprofit teaching hospital in Burlington, Massachusetts.