On January 18, the U.S. Department of Health and Human Services Office for Civil Rights (OCR) announced a settlement with MAPFRE Life Insurance of Puerto Rico under which the company paid $2.2 million to settle alleged violations of the HIPAA Privacy and Security Rules.
MAPFRE reported in September 2011 that a USB flash drive containing the electronic protected health information (ePHI) of 2,209 insurance beneficiaries was stolen from its IT department. The drive, which had been left unsecured overnight, contained names, Social Security numbers and dates of birth.
OCRs investigation determined that MAPFRE had failed to conduct a risk analysis and implement risk management plans, and had failed to encrypt data or deploy an equivalent measure on its laptops and removable drives until September 2014. According to OCR, MAPFRE also failed to implement corrective measures that it had informed OCR it would undertake.
In OCRs press release, Director Jocelyn Samuels said, Covered entities must not only make assessments to safeguard ePHI, they must act on those assessments as well. The press release stated that in determining the penalty, OCR balanced potential violations of the HIPAA Rules with evidence provided by MAPFRE with regard to its present financial standing,” suggesting that OCR felt that the violations warranted an even steeper penalty.
In addition to the $2.2 million payment, MAPFRE entered into a Corrective Action Plan requiring it to conduct a thorough risk analysis and develop a risk management plan; implement a process to evaluate changes affecting the security of its ePHI; and review, revise and distribute its HIPAA policies and procedures to its workforce and business associates. MAPFRE must also periodically train its personnel, as all covered entities and business associates are already required to do under HIPAA.