MAPFRE Life Insurance Company of Puerto Rico has agreed to settle potential noncompliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules by paying $2.2 million.
The U.S. Department of Health and Human Services, Office for Civil Rights (OCR) announced the HIPAA settlement this week and highlighted that the settlement demonstrates the importance of implementing safeguards for electronic protected health information (ePHI).
Along with the $2.2 million settlement, MAPFRE Life Insurance Company of Puerto Rico also agreed to settle potential noncompliance with the Privacy and Security Rules by implementing a corrective action plan.
“With this resolution amount, OCR balanced potential violations of the HIPAA rules with evidence provided by MAPFRE with regard to its present financial standing. MAPFRE is a subsidiary company of MAPFRE S.A., a global multinational insurance company headquartered in Spain. MAPFRE underwrites and administers a variety of insurance products and services in Puerto Rico, including personal and group health insurance plans,” HHS OCR officials stated in a press release.
According to a HHS OCR investigation, on September 29, 2011, MAPFRE filed a breach report with OCR indicating that a USB data storage device (described as a “pen drive”) containing ePHI was stolen from its IT department where it was left overnight.
“According to the report, the USB data storage device included complete names, dates of birth and Social Security numbers. The report noted that the breach affected 2,209 individuals. MAPFRE informed OCR that it was able to identify the breached ePHI by reconstituting the data on the computer on which the USB data storage device was attached,” HSS OCR stated in the press release.
OCR’s investigation revealed MAPFRE’s noncompliance with the HIPAA Rules, specifically, “a failure to conduct its risk analysis and implement risk management plans, contrary to its prior representations, and a failure to deploy encryption or an equivalent alternative measure on its laptops and removable storage media until September 1, 2014.” MAPFRE also failed to implement or delayed implementing other corrective measures it informed OCR it would undertake, according to HHS.
“Covered entities must not only make assessments to safeguard ePHI, they must act on those assessments as well” OCR director Jocelyn Samuels said in a prepared statement. “OCR works tirelessly and collaboratively with covered entities to set clear expectations and consequences.”
