The health sector is under siege with cybersecurity threats. Some of the largest announced cyber attacks in U.S. history have targeted organizations in the health industry. Regulators have...02 May 2016
Puerto Rico Hits Insurer with Record $6.8 Million Fine for HIPAA Breach
The Puerto Rican government’s penalties are steep in comparison to previous fines for HIPAA violations. The Office for Civil Rights ("OCR") at the U.S. Department of Health and Human Services, which is the federal agency tasked with enforcing HIPAA, has only once issued a civil money penalty for a violation of the HIPAA Privacy Rule. That fine was for $4.3 million in 2011. OCR has also fined 14 regulated entities since 2009 through settlement agreements relating to HIPAA violations. These settlements required payments ranging from $35,000 to $1.7 million. It is not clear whether OCR will also take action against Triple S. An OCR spokeswoman stated that the agency’s investigation into the breach is still open.
The breach in question occurred on September 20, 2013 when Triple S mailed a pamphlet displaying the Medicare Health Insurance Claim Number ("HICN") of approximately 70,000 of its Medicare Advantage beneficiaries. The HICN is a unique government identifier for each Medicare beneficiary, and is considered protected health information under HIPAA when held by or on behalf of a HIPAA covered entity. In response to the breach, Triple S investigated and reported the incident to Puerto Rican and federal government agencies, issued a breach notification through the local media, notified all affected beneficiaries by mail, and offered twelve months of free credit monitoring and identity protection to affected beneficiaries. However, the Puerto Rico Health Insurance Administration found that Triple S failed to meet HIPAA requirements in response to the breach, and therefore levied a contractual fine against the insurer.
The fine specifically accounts for the 13,336 beneficiaries enrolled in the company’s Dual Eligible Medicare plan who were affected by the breach. This plan covers older, low-income individuals who are eligible for both Medicare and Medicaid. The contract between Triple S and the Puerto Rico Health Insurance Administration allows the agency to fine the company for HIPAA violations. According to Rivera Cardona, the executive director of the Puerto Rico Health Insurance Administration, the contractual fines may range from $500 to $100,000 for each member of the Dual Eligible Medicare plan, which allows for substantially higher fines than the maximum sanctions allowed under HIPAA. In this case, the expected fines will amount to $500 for each of the 13,336 Dual Eligible Medicare beneficiaries affected by the breach, plus another $100,000 for Triple S’ failure to cooperate with the Puerto Rico Health Insurance Administration investigation into the breach.
Special thanks to Adam Solomon, an Associate in our Washington, D.C. office, for his substantial assistance in the preparation of this post.