Already, 2017 looks to be another big settlement year. January started the year with a HIPAA settlement of $2.2 million for a Life Insurance company in Puerto Rico, highlighting how essential it is that all health care organizations perform HIPAA risk assessments.
In a press release dated January 18, the Office for Civil Rights (OCR) outlined a new HIPAA settlement with MAPFRE Life Insurance Company of Puerto Rico. This new settlement comes to the cost of $2.2 million. The OCR stated that the settlement amount was determined after reviewing the evidence, including the income of the company.
On September 29, 2011, MAPFRE reported a breach to the OCR concerning a USB drive that was stolen from the IT department. The device contained protected health information (PHI) and was left unguarded overnight. The PHI on the device contained patient names, dates of birth and Social Security Numbers for 2,209 patients. MAPFRE was able to determine what information was on the device by reconstituting the data on the computer where the USB drive had been attached.
What did the investigation find?
The OCR investigation discovered that MAPFRE had not conducted a risk analysis or implemented risk management plans. Additionally, MAPFRE failed to encrypt or use an alternative measure to protect PHI on removable media until September 1, 2014. The OCR also stated that MAPFRE failed to implement other corrective actions despite claiming that it would.
More HIPAA Risk Assessments?
The OCR specifically stated in the press release that covered entities should conduct HIPAA risk assessments, but should also act on the assessments. After the breach was discovered in 2011, MAPFRE should have implemented encryption immediately. Instead, MAPFRE waited three years. Encryption and decryption is an addressable implementation specification, meaning a Covered Entity must implement encryption or something else if encryption is not financially feasible for the organization.
Sign up with HIPAAgps today to start using our HIPAA compliance tools, which include a detailed, HIPAA Risk Assessment.