December 1, 2021

Volume XI, Number 335

Advertisement
Advertisement

December 01, 2021

Subscribe to Latest Legal News and Analysis

November 30, 2021

Subscribe to Latest Legal News and Analysis

November 29, 2021

Subscribe to Latest Legal News and Analysis

Puerto Rico Gets Serious About HIPAA (Health Insurance Portability and Accountability Act) – $6.8 Million in Penalties Connected to Data Breach

Ricardo Rivera Cardona of the Puerto Rico Health Insurance Administration, intending to send a message by imposing the largest penalty to date ($6.8 million) arising out of a breach of protected health information under HIPAA, as reported by Infomation Security Media Group, is quoted as saying:

We are sending a message that we are here to enforce…There are no exceptions, no matter how big or small an institution is. ASES will make sure patients have access to medical services, and that their patient information is also protected. We are adamant about this.

The incident apparently did not involve a hi-tech hacking, theft of data or even the more popular lost laptop. It is reported to have resulted from a mailing error by Triple S Salud, a local insurer and division of Triple-S Management Corp., to approximately 13,000 individuals that displayed the individuals’ Medicare health insurance claim number. Note that many believe that information is not PHI unless it includes sensitive medical information about an individual, such as the individual’s diagnosis. That is simply not the case.

Of course, the covered entity can appeal the penalty. However, the federal Office for Civil Rights also can decide to take enforcement action, although that agency has not decided what, if any, action it will take.  We know that OCR has tried to send a message similar to the Puerto Rico enforcement authority concerning enforcement regardless of the size of the covered entity. In remains to be seen how vigorous enforcement will be given the lack of resources at these agencies, however, these enforcement actions certainly should spur covered entities and business associates to review their level of compliance.

Jackson Lewis P.C. © 2021National Law Review, Volume IV, Number 52
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

Principal

Joseph J. Lazzarotti is a principal in the Berkeley Heights, New Jersey, office of Jackson Lewis P.C. He founded and currently co-leads the firm's Privacy, Data and Cybersecurity practice group, edits the firm’s Privacy Blog, and is a Certified Information Privacy Professional (CIPP) with the International Association of Privacy Professionals. Trained as an employee benefits lawyer, focused on compliance, Joe also is a member of the firm’s Employee Benefits practice group.

In short, his practice focuses on the matrix of laws governing the privacy, security, and...

973- 538-6890
Advertisement
Advertisement
Advertisement