June 13, 2017

June 12, 2017

Subscribe to Latest Legal News and Analysis

Second HIPAA Enforcement Action of 2017 – Failure to Safeguard Electronic Health Information

Key Takeaways

  • Puerto Rico Life Insurance Company failed to safeguard ePHI on USB Storage Device

  • $2.2 million penalty plus corrective action plan

The U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) has announced a $2.2 million Health Insurance Portability and Accountability Act (HIPAA) settlement with MAPFRE Life Insurance Company of Puerto Rico (“MAPFRE Life”) regarding the impermissible disclosure of unsecured electronic protected health information (ePHI). On September 29, 2011, MAPFRE Life reported to OCR that a USB data storage device described as a pen drive containing the protected health information (PHI) of 2,209 individuals was stolen from its IT department where it was left overnight. The pen drive included the complete names, dates of birth and Social Security numbers of the affected individuals. As a result of this report, OCR investigated and determined that MAPFRE Life did not conduct a thorough assessment of the risks and threats to the confidentiality, integrity, and availability of ePHI and as a result failed to implement security measures sufficient to reduce these vulnerabilities to a reasonable and appropriate level, including the failure to encrypt ePHI. MAPFRE did not utilize encryption or an equivalent alternative measure on its laptops and removable storage media until September 1, 2014. OCR also determined that MAPFRE Life failed to implement reasonable and appropriate policies and procedures to comply with the requirements to safeguard ePHI and did not implement a security awareness and training program for all members of its workforce.

MAPFRE Life agreed to settle for $2,204,182 and enter into a three-year Corrective Action Plan aimed at addressing the noncompliance discovered by OCR during its initial investigation.  In its press release, OCR noted that this high settlement amount balances potential violations of the HIPAA rules with MAPFRE’s financial standing. MAPFRE Life is a multinational insurance company headquartered in Spain that underwrites and administers a variety of insurance products and services in Puerto Rico, including personal and group health insurance plans.

This settlement, the second HIPAA settlement of 2017, emphasizes the need for covered entities to protect all types of PHI.

Earlier this month, Presence Health, an Illinois health care network, settled with OCR for $475,000 and agreed to a two-year corrective action plan resulting from a delay in issuing breach notifications following the breach of unsecured PHI. A Client Alert regarding this earlier settlement is available here. Together, these settlements signal that 2017 may be another highly active year for HIPAA enforcement.

©2017 Drinker Biddle & Reath LLP. All Rights Reserved


About this Author

Jennifer Breuer, health care, attorney, Drinker Biddle, law firm

Jennifer R. Breuer is Vice Chair of Drinker Biddle's Health Care Practice Group and Co-Chair of the firm’s Women's Leadership Committee. Jennifer represents health care providers and suppliers in transactional, compliance and regulatory matters, with a focus on Stark Law and Anti-Kickback Statute compliance for hospital-physician relationships and data strategy/privacy law compliance for electronic health records, health information exchanges and other technology platforms. She also regularly assists in the development of compliance strategies for ehealth and...

Katherine Armstrong, Data Privacy Lawyer, Drinker Biddle Law firm

Katherine E. Armstrong is counsel in the firm’s Government & Regulatory Affairs Practice Group where she focuses her practice on data privacy issues, including law enforcement investigations, and research and analysis of big data information practices including data broker issues.

Katherine has more than 30 years of consumer protection experience at the Federal Trade Commission (FTC), where she served in a variety of roles, including most recently as a Senior Attorney in the Division of Privacy and Identity Protection.  In the Division of Privacy and Identity Protection, Katherine lead Fair Credit Reporting Act (FCRA) initiatives, including law enforcement investigations, consent negotiations, rulemakings, and other interpretive policy initiatives.  During Katherine’s tenure at the Commission, she served as an Attorney Advisor to Chairman Janet Steiger and Commissioner Sheila Anthony and was responsible for counseling on matters of consumer protection policy and enforcement.

Sumaya Noush, Drinker Biddle Law Firm, HealthCare Attorney

Sumaya Noush counsels health care clients on strategic and operational matters including transactions, corporate governance, and regulatory compliance. She helps her clients navigate the daily challenges of running their operations while identifying opportunities for growth in today’s rapidly evolving and highly competitive health care market.

Sumaya previously served as a law clerk for Drinker Biddle, an instructor at Yale’s Bioethics Institute where she taught a seminar on FDA law and medical ethics, and a Visiting Scholar at...