Triple-S Management Corporation has agreed to settle potential HIPAA violations with the U.S. Department of Health and Human Services' Office of Civil Rights to the tune of $3.5 million, after repeatedly failing to put safeguards in place for its beneficiaries' PHI.

In addition, the San Juan, P.R.-based insurance holding company will implement a robust corrective action plan to correct its HIPAA compliance deficiencies, an effort that's already been initiated.

[See also: Lahey pays $850K for 'widespread' HIPAA non-compliance]

"OCR remains committed to strong enforcement of the HIPAA Rules," OCR Director Jocelyn Samuels, said in a press statement. "This case sends an important message for HIPAA Covered Entities, not only about compliance with the requirements of the Security Rule, including risk analysis, but compliance with the requirements of the Privacy Rule, including those addressing business associate agreements and the minimum necessary use of protected health information," she continued.

HHS received "multiple breach notifications" from Triple-S about unsecured protected health information, according to OCR, which soon launched its investigation to verify HIPAA compliance.

[See also: Courting HIPAA risk with message apps]

The subsequent investigation revealed widespread non-compliance throughout Triple-S and its subsidiaries.

This included failure to implement appropriate administrative, physical and technical safeguards to protect beneficiaries' PHI privacy; impermissible disclosure of beneficiaries' PHI to outside vendors without appropriate business associate agreements; use or disclosure of more PHI than necessary for mailings; failure to conduct accurate and thorough risk analysis; failure to implement security measures sufficient to reduce risks and vulnerabilities.

Triple-S fully cooperated with the HHS investigation and agreed to instate a comprehensive HIPAA compliance program, a condition of the settlement. (Its wholly-owned subsidiaries Triple-S Salud Inc., Triple-C Inc. and Triple-S Advantage Inc., formerly known as American Health Medicare Inc. are also covered in the settlement.)

[See also: Group slapped with $6.8M HIPAA fine]

OCR has offered technical assistance to help with the corrective plan and will continue to work with the OCR to gain HIPAA compliance.

To obtain good-standing, Triple-S must create a risk analysis and risk management plan; a process to evaluate and address environmental or operational changes affecting PHI security; policies and procedures to facilitate HIPAA compliance and a training program for all TRIPLE-S workforce and business associates.

"Triple-S is committed to protecting the privacy and security of its beneficiaries' health information and implementing the corrective action plan entered into with OCR," said TRIPLE-S President and CEO Ramon M. Ruiz, in a press statement.

"We are pleased with the agreement and regard it as an opportunity to strengthen our privacy policies. We have appreciated OCR's technical assistance to date and look forward to our collaboration in the future," he added.