Federal HIPAA violation penalties may be capped at $1.5 million per incident per year, but there's also state and regional fines for those disregarding privacy and security laws.
Case in point, Triple-S Management Corp., a San Juan-based insurance holding company, who was recently slapped with $6.8 million in penalties for improperly handling the medical records of some 70,000 individuals, according to HHS data and a Caribbean Business report.
Triple-S reportedly mailed letters to its Medicare Advantage patients with the Medicare numbers visible from the outside.
Puerto Rico's Health Insurance Administration slapped the company with the fines, based on a breach that occurred September of last year. This is the second big HIPAA breach for Triple-S -- who currently handles the benefits for some 2.2 million people -- according to HHS data.
Federal HIPAA requirements require HIPAA-covered entities and business associates to provide breach notification to affected individuals no more than 60 days upon discovering the breach.
As far as federal investigations underway, HHS spokesperson Rachel Seeger told Healthcare IT News the investigations involving the breaches at Triple-S Salud are still open and under investigation. "We cannot comment further on the status of these cases at this time," she said.
[See also: Stanford reports fifth big HIPAA breach.]
"The (Puerto Rico Health Insurance Administration) in its obligation to ensure the privacy and integrity of your protected health information reiterates its commitment to comply with its affiliates to prevent situations like this from recurring in the future," read a notice on Puerto Rico's Health Insurance Administration website.
Puerto Rico HIPAA-covered entities and business associates have been responsible for breaching the medical records of nearly 699,000 individuals since 2008.
Nationwide, some 29.3 million individuals have been affected by a HIPAA privacy or security breach.