5 min reading time

That’s how much Triple-S Management Corp will pay for insufficiently protecting health information.

See for what Health & Human Services said.

It’s not as though these rules just appeared.

Group member and privacy expert Rebecca Herold writes, “Expect to see many more fines/sanctions in the coming year. If healthcare organizations and their vendors don’t establish safeguards, after close to 15 years of having time to do so, they will be paying a large price.”

From the Office for Civil Rights (OCR), which enforces the Federal standards that govern the privacy of individually identifiable health information:

“After receiving multiple breach notifications from TRIPLE-S involving unsecured protected health information (PHI), OCR initiated investigations to ascertain the entities’ compliance with HIPAA Rules. OCR’s investigations indicated widespread non-compliance throughout the various subsidiaries of Triple-S, including:

• Failure to implement appropriate administrative, physical, and technical safeguards to protect the privacy of its beneficiaries’ PHI;

• Impermissible disclosure of its beneficiaries’ PHI to an outside vendor with which it did not have an appropriate business associate agreement;

• Use or Disclosure of more PHI than was necessary to carry out mailings;

• Failure to conduct an accurate and thorough risk analysis that incorporates all IT equipment, applications, and data systems utilizing ePHI; and

• Failure to implement security measures sufficient to reduce the risks and vulnerabilities to its ePHI to a reasonable and appropriate level.

The settlement requires TRIPLE-S to establish a comprehensive compliance program designed to protect the security, confidentiality, and integrity of the personal information it collects from its beneficiaries, that includes:

• A risk analysis and a risk management plan;

• A process to evaluate and address any environmental or operational changes that affect the security of the ePHI it holds;

• Policies and procedures to facilitate compliance with requirements of the HIPAA Rules; and

• A training program covering the requirements of the Privacy, Security, and Breach Notification Rules, intended to be used for all members of the workforce and business associates providing services on TRIPLE-S premises.”

For today’s discussion, think back over your career: How confident are you that all your former employers have impenetrable protections for patient data it collects?

Are you using online apps for your health?

How concerned are you about YOUR patient health information?

++++++++++

Common UDI Mistakes You Can Avoid

In case you missed it, resident Unique Device Identification expert Gary Saner will present a free webinar next Thursday about common mistakes he’s seen from the more than 100,000 UDI applications his company has processed.

See http://medgroup.biz/UDI-mistakes to register for free.

If you support a Class II medical device, you won’t want to miss it.

++++++++++

Discussions

Medical device tax repeal efforts update

Implanted medical devices

Can a dog be a medical device?

Notified bodies requesting evidence of simulation of product recall procedures?
http://bit.ly/I-dont-recall

Ultrasound is still underutilized. What new usage scenarios and applications?

++++++++++

Make it a great week.

Joe Hage
Medical Devices Group Leader

P.S. We’re moving the Medical Devices Group off LinkedIn. To stay involved, sign up at http://medgroup.biz/MOVE

---

Benjamin Ghanoongooi
Senior Quality Assurance Consultant at GIL Intl CSvs Inc
Thank you for this post. Please visit my post Code of Conduct and see the difference between when you should do the right thing and knowing the difference of what you have right to do. It breaks down in detail criminal cover up of racism of African Americans and promotion of Anti- Semitic behaviors of executive management of criminal organization called Boston Scientific and why such major US manufacturer intentionally manufacturing defective medical devices and market internationally and yet with all their financial capability and access to the best legal law firms cannot stop the spread of Code of Conduct from public awareness.

Karl Schulmeisters
Principal and Founder at ExStreamVR
There are other aspects to this that are even more subtle – which I’ve written about in the link below.
http://www.cg-hg.com/Blog/Post/24/Authentication-vs–Repudiation-in-IoT-and-mHealth–weaknesses-in-Apple%E2%80%99s-ResearchKit-Microsoft%E2%80%99s-HealthVault-Google%E2%80%99s-FitKit

Karen Eason
Owner at BizSplice, LLC
Good! I knew the day was coming! It is about time companies will be forced to comply. Unlike a credit card number breach, you can’t just apply for new health data, once it’s out there it is out there.

Maren Nelson
Medical Device Development, Quality System, and Regulatory Specialist
Thanks for sharing this Joe!

Mark Maloney
CEO, Venops l Experts in Exclusion List Monitoring l Patient Privacy Protection l Open Payments Monitoring
Yes the penalties (CMP) are real! One of our board members has a multi-million dollar story makes anyone a believer. Venops is trying to help physician-owned facilities and practices protect themselves from many preventable civil monetary penalties. We are interested in strategic alliances to strengthen our offering in this specialized area.

David Harlow
Health Care Innovation // Lawyer / Consultant / Advisor / Speaker
The $3.5m fine is the third fine imposed on Triple-S. Two of the three relate to an overlapping series of breaches (Puerto Rico regulators fined the company $6.8m about a year ago). See: http://healthblawg.com/2015/11/times-triple-breaches.html. Aside from the size of the fines, I think it is important to take away from this incident (as well as the recent Lahey Clinic fine, and other HIPAA cases) that the federales are interested not only in extracting the pound of flesh but in working with “the regulated community” to make sure systems are in place to ensure that further breaches do not occur. Triple-S is now operating under a typical settlement agreement that includes about four years of close oversight by the federales, starting with the company doing a risk assessment, and then developing/implementing appropriate policies and procedures. On the one hand, it is surprising that there isn’t a higher degree of compliance so many years in; OTOH, enforcement has been lax overall.

David P. Depman ✓
Sales and Team Leader at Xanda Body Marbling (Part of the MSB Group), Cofounder of MSB Group.
Huge issue not only in the States, but here in EU as well. Data protection is being more closely scrutinized every year (month, day…) Not only is your own system your concern, but also any contractor with whom you work. Just ask T-mobile about the Experian hack that exposed 15 million T-Mobile customer’s sensitive info. Both are now being sued in CA, IL and FL, and it wasn’t even T-Mobile that got hacked! The IoT will also bring messy legal ramifications. Seems when you connect every device, you connect every lawsuit too.

Tristan Zotaj
—
Please Im drive no comments traffic problems

Tristan Zotaj
—
I coming here for helping for my brother stop for jobless.My beg brothers BARRY R. RABOVSKY LAWYES ATERNEY ILLINOIS MAKE ACCIDENT.I NEED HALP ASSISTANCE OK COLLEGE EVERYTHING.IM GOING DRIVER FOR HOSPITAL SEE YOU NEXT TIME.

Charles Sanders
Orthodontist, Entrepreneur, B2B Healthcare Technology Copywriter, Voice actor
Joe, thanks!
This is an enormous ‘wake-up call’. As a clinician, I’m acutely aware of the risks involved with the exchange of PHI between providers and insurers. This is especially so for larger providers with EHR on ‘secure’ servers and the ever present risks of hacking of PHI. This penalty evokes the need for even more vigilance.

Lorne Wiebe
Aviation, Energy and Environmental Insurance Broker at Rhodes & Williams Limited
Joe,

This is a big issue and the courts have made it clear that there is a very high level of expectation placed on companies entrusted with personal medical information. Most breaches are accidental and a robust cyber insurance policy can protect your company if information is inadvertently made public.

Lorne