On November 30, 2015, the U.S. Department of Health and Human Services (“HHS”) announced that Triple-S Management Corporation (“Triple-S”), an insurance holding company based in San Juan, Puerto Rico, agreed on behalf of certain of its subsidiaries to settle potential violations of the HIPAA Privacy and Security Rules with HHS’s Office for Civil Rights (“OCR”).

The case stems from an OCR investigation into the company’s compliance with HIPAA rules, which was initiated after OCR received multiple notifications from Triple-S regarding breaches of unsecured protected health information (“PHI”). The investigation indicated “widespread non-compliance” throughout Triple-S and its subsidiaries, including (1) failure to implement appropriate administrative, physical and technical safeguards to protect PHI; (2) failure to do a thorough and accurate risk analysis of its IT equipment, applications and data systems utilizing PHI; and (3) impermissible disclosure of PHI to an outside vendor with which it did not have an appropriate business associate agreement.

Under the settlement agreement, Triple-S is required to pay $3.5 million and establish a comprehensive compliance program designed to protect the security, confidentiality and integrity of the personal information it collects from its beneficiaries.