September 16, 2021

Volume XI, Number 259

Advertisement

September 16, 2021

Subscribe to Latest Legal News and Analysis

September 15, 2021

Subscribe to Latest Legal News and Analysis

September 14, 2021

Subscribe to Latest Legal News and Analysis

September 13, 2021

Subscribe to Latest Legal News and Analysis
Advertisement

Second HIPAA Enforcement Action of 2017 – Failure to Safeguard Electronic Health Information

Key Takeaways

  • Puerto Rico Life Insurance Company failed to safeguard ePHI on USB Storage Device

  • $2.2 million penalty plus corrective action plan

The U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) has announced a $2.2 million Health Insurance Portability and Accountability Act (HIPAA) settlement with MAPFRE Life Insurance Company of Puerto Rico (“MAPFRE Life”) regarding the impermissible disclosure of unsecured electronic protected health information (ePHI). On September 29, 2011, MAPFRE Life reported to OCR that a USB data storage device described as a pen drive containing the protected health information (PHI) of 2,209 individuals was stolen from its IT department where it was left overnight. The pen drive included the complete names, dates of birth and Social Security numbers of the affected individuals. As a result of this report, OCR investigated and determined that MAPFRE Life did not conduct a thorough assessment of the risks and threats to the confidentiality, integrity, and availability of ePHI and as a result failed to implement security measures sufficient to reduce these vulnerabilities to a reasonable and appropriate level, including the failure to encrypt ePHI. MAPFRE did not utilize encryption or an equivalent alternative measure on its laptops and removable storage media until September 1, 2014. OCR also determined that MAPFRE Life failed to implement reasonable and appropriate policies and procedures to comply with the requirements to safeguard ePHI and did not implement a security awareness and training program for all members of its workforce.

MAPFRE Life agreed to settle for $2,204,182 and enter into a three-year Corrective Action Plan aimed at addressing the noncompliance discovered by OCR during its initial investigation.  In its press release, OCR noted that this high settlement amount balances potential violations of the HIPAA rules with MAPFRE’s financial standing. MAPFRE Life is a multinational insurance company headquartered in Spain that underwrites and administers a variety of insurance products and services in Puerto Rico, including personal and group health insurance plans.

This settlement, the second HIPAA settlement of 2017, emphasizes the need for covered entities to protect all types of PHI.

Earlier this month, Presence Health, an Illinois health care network, settled with OCR for $475,000 and agreed to a two-year corrective action plan resulting from a delay in issuing breach notifications following the breach of unsecured PHI. A Client Alert regarding this earlier settlement is available here. Together, these settlements signal that 2017 may be another highly active year for HIPAA enforcement.

© 2021 Faegre Drinker Biddle & Reath LLP. All Rights Reserved.National Law Review, Volume VII, Number 24
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

Jennifer R. Breur, Attorney, Drinker Biddle, Healthcare Lawyer
Partner

Jennifer R. Breuer represents health care providers and suppliers in transactional, compliance and regulatory matters, with a focus on Stark Law and Anti-Kickback Statute compliance for hospital-physician relationships. Jen also advises on data strategy and privacy law compliance for electronic health records, health information exchanges and other technology platforms. She regularly assists in the development of compliance strategies for ehealth and telemedicine providers.

Prior to attending law school, Jen worked as a strategy...

312-569-1256
Katherine Armstrong, Drinker Biddle Law Firm, Washington DC, Data Privacy Attorney
Counsel

Katherine E. Armstrong is counsel in the firm’s Government & Regulatory Affairs Practice Group where she focuses her practice on data privacy issues, including law enforcement investigations, and research and analysis of big data information practices including data broker issues.

Katherine has more than 30 years of consumer protection experience at the Federal Trade Commission (FTC), where she served in a variety of roles, including most recently as a Senior Attorney in the Division of Privacy and Identity Protection.  In the Division of...

202-230-5674
Sumaya Noush, Drinker Biddle Law Firm, HealthCare Attorney
Associate

Sumaya Noush counsels health care clients on strategic and operational matters including transactions, corporate governance, and regulatory compliance. She helps her clients navigate the daily challenges of running their operations while identifying opportunities for growth in today’s rapidly evolving and highly competitive health care market.

Sumaya previously served as a law clerk for Drinker Biddle, an instructor at Yale’s Bioethics Institute where she taught a seminar on FDA law and medical ethics, and a Visiting Scholar at...

312-569-1268
Advertisement
Advertisement
Advertisement