OCR Gives Another Expensive Lesson in HIPAA Security Compliance

Written by: Richard Sheinis, Esq.

The U.S. Department of Health and Human Services, Office of Civil Rights (“OCR”) has agreed to a $2.2 million settlement with MAPFRE Life Insurance Company of Puerto Rico for potential non-compliance with the HIPAA Security Rule. MAPFRE filed a report with HHS stating a “pen drive” containing ePHI of 2,209 individuals was stolen from its IT department. OCR’s investigation revealed MAPFRE had failed to conduct a HIPAA required risk analysis, failed to implement a risk management plan, and failed to encrypt PHI on its laptops or removable storage media. MAPFRE then failed to implement corrective measures it told OCR it would take. In addition to paying $2.2 million, MAPFRE agreed to a corrective action plan.

I have told many health care providers the fact that a breach occurred will not automatically result in a fine from OCR. OCR recognizes that breaches can occur even when the Security Rule is followed. However, if OCR finds that a health care provider snubbed its nose at HIPAA Security Rule compliance prior to the breach, and failed to take appropriate corrective action after the breach, then the provider has something to worry about. Security Rule compliance is really not that difficult. You just need a plan. It might seem daunting at first, but like the saying goes, every journey begins with the first step.