Remember learning about "covered entities" in HIPAA training? Providers aren’t the only ones charged with guarding patients’ protected health information.
The U.S. Department of Health and Human Services announced a HIPAA settlement after MAPFRE Life Insurance Company of Puerto Rico disclosed unsecured electronic protected health information (ePHI). MAPFRE agreed to pay a $2.2 million settlement and implement a corrective action plan.
MAPFRE is a global insurance company headquartered in Spain that underwrites and administers a variety of insurance products and services in Puerto Rico, including personal and group health insurance plans.
In 2011, MAPFRE filed a breach report. A USB data storage device containing ePHI was left unguarded overnight and subsequently stolen from its IT department. According to the report, the USB device included complete names, dates of birth, and Social Security numbers of 2,209 individuals.
The investigation revealed that MAPFRE was noncompliant with HIPAA. Specifically, it failed to conduct its risk analysis and implement risk management plans. (Reminder: You must conduct a risk analysis at least annually.) MAPFRE also delayed or failed to implement corrective measures it claimed to undertake.
As part of its Corrective Action Plan, MAPFRE agreed to develop a complete inventory of all electronic equipment that stores ePHI, including portable media devices, data systems, and applications. It serves as a reminder for all HIPAA covered entities – your electronic device log must be updated at all times! The loss or theft of those devices are some of the most common reasons for breaches.
© 2017 Jackson LLP, all rights reserved
about the author
Erin K. Jackson is Jackson LLP's Managing Partner. She is responsible for all aspects of firm management, is a sought-after speaker for healthcare conferences, and is a published author. She is specifically focused upon the intersection of the patient experience in healthcare with the legal and ethical responsibilities of providers.