Ricardo Rivera Cardona of the Puerto Rico Health Insurance Administration, intending to send a message by imposing the largest penalty to date ($6.8 million) arising out of a breach of protected health information under HIPAA, as reported by Infomation Security Media Group, is quoted as saying:
We are sending a message that we are here to enforce…There are no exceptions, no matter how big or small an institution is. ASES will make sure patients have access to medical services, and that their patient information is also protected. We are adamant about this.
The incident apparently did not involve a hi-tech hacking, theft of data or even the more popular lost laptop. It is reported to have resulted from a mailing error by Triple S Salud, a local insurer and division of Triple-S Management Corp., to approximately 13,000 individuals that displayed the individuals’ Medicare health insurance claim number. Note that many believe that information is not PHI unless it includes sensitive medical information about an individual, such as the individual’s diagnosis. That is simply not the case.
Of course, the covered entity can appeal the penalty. However, the federal Office for Civil Rights also can decide to take enforcement action, although that agency has not decided what, if any, action it will take. We know that OCR has tried to send a message similar to the Puerto Rico enforcement authority concerning enforcement regardless of the size of the covered entity. In remains to be seen how vigorous enforcement will be given the lack of resources at these agencies, however, these enforcement actions certainly should spur covered entities and business associates to review their level of compliance.