Office of Civil Rights (OCR) Director Jocelyn Samuels has made it clear that the “OCR remains committed to strong enforcement of the HIPAA Rules.” The latest settlement announced on 11/30/15 concerning Triple-S, an insurance holding company offering a wide range of insurance products and services, demonstrates just how committed the OCR is when it comes to HIPAA compliance. This settlement included payment of $3.5 Million and adopting a corrective action plan to implement a robust and comprehensive HIPAA compliance program pursuant to the Resolution Agreement entered by Triple-S.
Here’s what went wrong – this OCR settlement resulted following an OCR investigation initiated after Triple-S reported multiple breach notifications to the OCR. The investigation revealed “widespread non-compliance” with HIPAA including:
As noted above, here’s what the OCR required from Triple-S to settle the potential violations – payment of $3.5 Million plus entering into a Plan of Correction to implement a comprehensive HIPAA compliance program.
Here’s what the comprehensive compliance program will include to protect the security, confidentiality, and integrity of the PHI Triple-S collects from its beneficiaries:
The OCR has once again clearly demonstrated its commitment to enforcing the HIPAA Rules. In this case, repeated breach notifications brought an OCR investigation to Triple-S. That investigation uncovered potential violations of HIPAA that resulted in this settlement to correct the potential violations the investigation uncovered.
So what’s a Covered Entity to do? It’s quite simple – be in compliance with HIPAA. Even with the best compliance programs, breaches happen and must be reported to the OCR. The best protection for a Covered Entity undergoing an investigation following the report of a breach is to have a vital HIPAA compliance program already in place. As Triple-S learned, not having a HIPAA compliance program can be costly. In addition to a large payment to the OCR, now Triple-S will have a HIPAA compliance program under the added scrutiny of a Resolution Agreement with the OCR.
In order to avoid the fate of Triple-S, health care providers must bring their HIPAA compliance programs in line with the Privacy and Security Rules. Consult a qualified legal counsel for assistance.
By Denise Bloch