The HITECH law puts a cap on fines that the Department of Health and Human Services (HHS) can assess for HIPAA violations at $1.5 million per incident per year. However, other federal, state and regional regulatory agencies have authority to impose fines for violations of the HIPAA privacy and security standards, and can do so simultaneously for the same offense.

Health insurer, Triple-S Management Corporation (Triple S) of San Juan, was recently fined $6.8 million by the Puerto Rico Health Insurance Administration (PRHIA) for improperly handling protected health information (PHI) of 13,336 of its beneficiaries who were dual-eligible for Medicare and Medicaid. Accreditation requirements to sell insurance in Puerto Rico required Triple S to sign a contract agreeing to maintain compliance with HIPAA or face fines and additional sanctions for violations.

The breach resulted from a September 20, 2013 incident where Triple S mailed out pamphlets to its beneficiaries with their Medicare numbers visible from the outside. Medicare numbers are unique client identifiers deemed PHI when held by or on behalf of a HIPAA covered entity. As a result of the HIPAA violations, the PRHIA assessed a $6.8 million fine and called for Triple-S to suspend dual-eligibility enrollment, notify affected individuals of their right to end their enrollment, and implement a corrective action plan to prevent future breaches.

Cooperation is Key

In this case, the fine was assessed at $500 for each of Triple S’ 13,336 affected beneficiaries in accordance with the contract Triple S signed with PRHIA. An additional $100,000 was assessed for its failure to cooperate with PRHIA’s investigation into the incident, providing misleading information, and, in response to some requests, not supplying any information to PRHIA at all, as reported by 4Medapproved HIT Security in HIPAA Enforcement Blind Spots (March 3, 2014).

The fines levied against Triple-S put Covered Entities and Business Associates on notice about their absolute obligation of full compliance with HIPAA and implementing proper procedures for reporting and investigating breaches. This is an essential part of HIPAA compliance planning. Further, Covered Entities and Business Associates need to be aware of the concurrent authority of the Federal Trade Commission (FTC) to address HIPAA violations. The FTC can exercise regulatory oversight through corrective action plans for up to 20 years for HIPAA violations. Complying with HIPAA privacy and security standards is the right thing to do for your healthcare practice and/or business—but most important, for your patients and clients.