Insurer Slapped with $2.2 Million HIPAA SettlementHHS Cites Company's Missteps in Wake of Small Breach
In the final days of the Obama administration, the Department of Health and Human Services has issued its second HIPAA enforcement action for 2017. HHS' Office for Civil Rights has entered a $2.2 million settlement with a Puerto Rican insurance company in the wake of its investigation of a 2011 breach involving a stolen unencrypted USB drive that affected only about 2,000 individuals.
The substantial penalty for the breach stems from the lack of timely corrective action after the breach by MAPFRE Life Insurance Co. of Puerto Rico, OCR explains in a statement.
"OCR's investigation revealed MAPFRE's noncompliance with the HIPAA rules, specifically, a failure to conduct its risk analysis and implement risk management plans, contrary to its prior representations, and a failure to deploy encryption or an equivalent alternative measure on its laptops and removable storage media until September 1, 2014," OCR notes. "MAPFRE also failed to implement or delayed implementing other corrective measures it informed OCR it would undertake."
OCR Director Jocelyn Samuels notes: "Covered entities must not only make assessments to safeguard ePHI, they must act on those assessments as well. OCR works tirelessly and collaboratively with covered entities to set clear expectations and consequences."
In setting the size of the penalty, OCR notes that its resolution agreement also "balanced potential violations of the HIPAA rules with evidence provided by MAPFRE with regard to its present financial standing."
MAPFRE is a subsidiary company of MAPFRE S.A., a multinational insurance company headquartered in Spain. MAPFRE underwrites and administers a variety of insurance products and services in Puerto Rico, including personal and group health insurance plans, OCR notes.
Breach Investigation Details
OCR's settlement with MAPFRE stems from a breach report the insurance company filed on Sept. 29, 2011, indicating that a USB data storage "pen drive" device containing electronic protected health information was stolen from MAPFRE's IT department where it was left overnight.
Compromised data included names, dates of birth and Social Security numbers of 2,209 individuals. OCR notes that MAPFRE said it was able to identify the breached ePHI by reconstituting the data on the computer on which the USB data storage device was attached.
Common Issues With a 'Twist'?
The latest HIPAA enforcement action by OCR focuses on a weakness - the lack of a risk analysis - that's been spotlighted in many previous HIPAA settlements, notes Adam Greene, a privacy attorney at the law firm Davis Wright Tremaine. But this settlement also notes MAPFRE's alleged lack of timely corrective action in the wake of the breach, he notes.
"While the breach gets the attention, OCR's press release highlights the lack of a risk analysis and risk management plan and the alleged failure to follow through on representations to OCR," Greene says. "Be careful what you promise to OCR, because you will need to follow through."
Privacy attorney Kirk Nahra notes: "This is a 'normal' breach settlement with the added twist that the company had problems before and didn't fix them. One bit of advice: Do what you commit to doing with OCR or any other regulatory/enforcement agency, or pray hard that nothing bad happens."
Companies always need to meet their compliance obligations, Nahra adds. "But there is no bigger risk than telling an agency something and then not doing it."
More Settlements Soon?
The settlement with MAPFRE is the second HIPAA enforcement action OCR has taken so far in 2017. That follows a record year in 2016, when OCR issued far more settlements - 13, plus one civil monetary penalty case - than in previous years.
But with the transition to the Trump administration later, it could be a while before OCR takes additional enforcement action, Greene notes.
"I expect that after January 20th, we may have a lull in published settlements as new leadership comes on board at OCR," he says. "From there, it is anyone's guess as to whether the pace of settlements will return to what we saw in 2016, or whether a new political appointee had different enforcement priorities."
On Jan. 9, OCR issued a $475,000 financial settlement and corrective action plan with Chicago-based Presence Health tied to the organization's tardy notification for a 2013 paper records breach affecting about 800 individuals.
Corrective Action Plan
OCR's corrective action plan calls for the insurance company to:
- Conduct a risk analysis and implement a risk management plan;
- Implement a process for evaluating environmental and operational changes;
- Update its policies and procedures and distributing them to its workforce.
In the corrective action plan, OCR notes that MAPFRE's updated policies and processes must address:
- Uses and disclosures of PHI;
- Workforce training;
- Security management process;
- Device and media controls;
- Security rule policies and procedures;
- Encryption and decryption;
- Workstation use.