The U.S. Department of Health and Human Services Office for Civil Rights (OCR) recently released a statement pertaining to a settlement with MAPFRE Life Insurance of Puerto Rico. MAPFRE agreed to a $2.2 million dollar settlement and corrective action plan for potential noncompliance with HIPAA after a USB device containing electronic protected health information (ePHI) was stolen from its IT department. OCR was notified of the stolen USB back in September of 2011. Included on the USB were individuals' names, birthdates and Social Security Numbers. It is believed that 2,209 people were affected by this breach. OCR launched an investigation and found that MAPFRE was in violation of HIPAA Privacy and Security Rules. What could MAPFRE have done differently according to OCR?
- Perform a risk analysis and make the necessary improvements based on the findings- An assessment to determine risks and vulnerabilities to ePHI should be performed. Then, steps should be taken to eliminate or mitigate these risks.
- Provide employee HIPAA training- Workforce members should take part in a security awareness and training program.
- Employ physical safeguards to protect ePHI- Security measures should be in place to physically protect computers, laptops, USBs, and other devices containing ePHI from unauthorized users.
- Utilize technical safeguards to protect ePHI- Data should be encrypted so that it is not accessible to unauthorized users.
- Implement administrative safeguards to protect ePHI- Specific policies and procedures should be established for handling ePHI.
By agreeing to this settlement, there is no admission or concession of guilt on MAPFRE's part. However, $2.2 million is a costly price to pay for something that all covered entities and their business associates should already be doing.