The U.S. Department of Health and Human Services' Office for Civil Rights settled a potential HIPAA noncompliance with Puerto Rico-based MAPFRE Life Insurance for $2.2 million, OCR announced Jan. 18.
The settlement covers the theft of a USB drive containing the ePHI of 2,209 members, which was stolen from the IT department where it was left overnight in September 2011. The drive contained complete profiles of members, including names, Social Security numbers and dates of birth.
OCR alleged MAPFRE didn't have the necessary safeguards in place to prevent theft of ePHI. Officials also cited a lack of urgency in data protection. The OCR investigation revealed MAPFRE failed to conduct risk analysis and implement risk management plans and also failed to encrypt data or another equivalent measure on laptops or removable drives until September 2014.
MAPFRE also delayed implementation or failed to implement corrective measures that it informed OCR it would undertake.
The settlement was finalized on Jan. 11, and MAPFRE entered into a corrective action plan with OCR.
"Covered entities must not only make assessments to safeguard ePHI, they must act on those assessments as well" OCR Director Jocelyn Samuels, said in a statement. "OCR works tirelessly and collaboratively with covered entities to set clear expectations and consequences."
"With this resolution amount, OCR balanced potential violations of the HIPAA Rules with evidence provided by MAPFRE with regard to its present financial standing," officials said in a statement.
Per the corrective action, MAPFRE must demonstrate a risk analysis and risk management plan; implement a process to evaluate environmental and operational changes; and review, potentially revise, as necessary, and distribute, current privacy and security policies and procedures.
MAPFRE must also provide regular training and certify its workforce members.
Twitter: @JessieFDavis
Email the writer: jessica.davis@himssmedia.com
