$2.2 Million Settlement for Impermissible Disclosure of ePHI

The U.S. Department of Health and Human Services’ Office for Civil Rights has agreed a $2.2 million settlement with MAPFRE Life Assurance Company of Puerto Rico – A subsidiary of MAPFRE S.A., of Spain – to resolve potential noncompliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

The settlement relates to the impermissible disclosure of the electronic protected health information of 2,209 patients in 2011. On September 29, 2011, a portable USB storage device (pen drive) was left overnight in the IT Department from where it was stolen. The device contained a range of patients’ ePHI, including full names, Social Security numbers and dates of birth. The device was not protected by a password and data on the device were not encrypted.

MAPFRE Life reported the device theft to OCR, which launched an investigation to determine whether HIPAA Rules had been violated, as is customary with all breaches of ePHI that impact more than 500 individuals.

Multiple Areas of Noncompliance with HIPAA Rules Discovered

During the course of the investigation, OCR discovered numerous HIPAA noncompliance issues:

45 C.F.R. 164.502(a) – Impermissible disclosure of the ePHI of 2,209 individuals.

5 C.F.R. 164.308(a)(1)(i) – A failure to conduct a comprehensive risk assessment to evaluate risks and vulnerabilities to the confidentiality, integrity and availability of ePHI and a failure to implement measures to reduce risks to an appropriate level.

45 C.F.R. 164.308(a)(5)(i) – A failure to implement a security awareness training program for all members of the workforce.

45 C.F.R. 164.312(a)(2)(iv) – A failure to implement data encryption or an equivalent measure to safeguard the ePHI stored on portable storage devices.

45 C.F.R. 164.316 (a) – A failure to implement reasonable and appropriate policies and procedures to safeguard ePHI to comply with HIPAA standards implementation specifications.

Additionally, the corrective measures MAPFRE Life said it would undertake following the submission of a breach report to OCR on August 5, 2011 were delayed. MAPFRE Life did not start encrypting data on laptop computers and portable storage devices until September 1, 2014.

OCR considered the financial position of MAPFRE Life along with the number and severity of HIPAA violations when determining the resolution amount. In addition to paying OCR $2,204,182, MAPFRE Life is required to adopt a corrective action plan to address all areas of noncompliance.

HIPAA and Data Encryption

HIPAA does not require covered entities to implement encryption on portable devices used to store ePHI. Data encryption is only an addressable issue. However, covered entities must conduct a thorough risk assessment to identify potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI. If, after assessing risks, covered entities determine that other controls are in place to safeguard ePHI and data encryption is not appropriate, the reasons for not implementing encryption must be documented.

Recent HIPAA Settlements

OCR has stepped up its enforcement of HIPAA Rules in recent years, with more settlements agreed in 2016 than in any other year to date. Last year, 12 healthcare organizations settled potential HIPAA violations with OCR, and one civil monetary penalty (CMP) was imposed.

MAPFRE Life is the second HIPAA-covered entity to settle potential HIPAA violations with OCR in 2017. Last week, OCR announced a settlement of $475,000 had been agreed with Presense Health for violations of the HIPAA Breach Notification Rule.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.