Covered entities doing business in Puerto Rico are subject to compliance. “HIPAA Puerto Rico” consists of compliance with both federal HIPAA, as well as local Puerto Rico laws regarding medical record privacy and security. In this sense, therefore, “HIPAA Puerto Rico” is the same as “HIPAA Arkansas,” or “HIPAA Florida.” In each instance, the covered entity must follow HIPAA as well as the laws of the specific jurisdiction.
OCR Enforcement of HIPAA Puerto Rico
The Department of Health and Human Services’ (DHHS) Office for Civil Rights (OCR) has investigated and fined Puerto Rico-based entities at which data breaches have occurred.
Do you have an effective HIPAA compliance program? Find out now by completing the HIPAA compliance checklist.
A notable example of this took place in 2015, when OCR fined Puerto Rico-based Triple-S Management, an independent licensee of the Blue Cross Blue Shield Association, in the amount of $3.5 million, The investigation was initiated after OCR received multiple breach notifications from Triple-S. These breaches included several large incidents that affected over 500 individuals, as well as several that impacted fewer than 500 individuals.
The breach reports appeared to be unrelated. Triple-S had previously been fined in February of 2014; then, one of its subsidiaries, Triple S Salud, was fined in the amount of $6.8 million for a 2013 breach involving a mailing error affected approximately 13,000 beneficiaries. Along with the fine, OCR required Triple-S to implement a plan to ensure further breaches would not occur.
With respect to the fines, OCR revealed that its investigations indicated widespread non-compliance throughout Triple-S, including:
- Failure to implement appropriate administrative, physical and technical safeguards to protect beneficiary PHI privacy;
- Impermissible disclosure of beneficiary PHI to an outside vendor with which Triple-S did not have an appropriate business associate agreement;
- Use or disclosure of more PHI than was necessary to carry out mailings;
- Failure to conduct an accurate and thorough risk analysis; and
- Failure to implement security measures sufficient to reduce ePHI risks and vulnerabilities to a reasonable and appropriate level.
In the 2015 settlement, OCR imposed a corrective action plan, requiring Triple-S to establish a comprehensive compliance program to protect beneficiary personal information security, confidentiality, and integrity. The plan required Triple-S to:
- Implement a risk analysis and a risk management plan;
- Implement a process to evaluate and address any environmental or operational changes that affect the security of the ePHI Triple-S held;
- Develop policies and procedures to facilitate compliance HIPAA administrative safeguard provisions;
- Develop a training program covering the requirements of the HIPAA Privacy, Security, and Breach Notification Rules, for all members of the workforce, and for business associates providing services on Triple-S’ premises.