$3.5 Million Dollar HIPAA Settlement Highlights Scrutiny of Business Associate Relationships

On November 30, 2015, the Department of Health and Human Services Office for Civil Rights (OCR) announced that it had reached a $3.5 Million Dollar Settlement with Triple-S Management Corporation, an insurance holding company located in San Juan, Puerto Rico.

The settlement was the result of OCR’s investigation of multiple HIPAA breaches, some of which included Triple-S business associates.  OCR’s findings included several allegations related to business associates including:

  1. Failure to have appropriate business associate agreements
  2. Violation of the minimum necessary rule as applicable to mailings (i.e., using more protected health information than necessary when communicating with individuals via mailings)
  3. Violations by business associate employees

Triple-S entered into a Resolution Agreement (corrective action plan) with OCR which, in part, included a requirement that Triple-S share HIPAA policies and procedures with its business associates and obtain certification that business associates have read, understood and agree to abide by the policies and procedures.

The requirements of this Resolution Agreement are notable because they suggest an expectation on the part of OCR that Covered Entities play a larger role in the education of their business associates than that which has been communicated to covered entities in the past.

Both the press release and the resolution agreement can be accessed here.

Speak Your Mind