ARTICLE
30 January 2017

Puerto Rico Insurer Ponies Up $2.2 Million For HIPAA Problems

DP
Day Pitney LLP

Contributor

Day Pitney LLP logo
Day Pitney LLP is a full-service law firm with more than 300 attorneys in Boston, Connecticut, Florida, New Jersey, New York and Washington, DC. The firm offers clients strong corporate and litigation practices, with experience on behalf of large national and international corporations as well as emerging and middle-market companies. With one of the largest individual clients practices on the East Coast, the firm also has extensive experience assisting individuals and their families, fiduciaries and tax-exempt entities plan for the future.
Explore
On January 18, the U.S. Department of Health and Human Services' Office for Civil Rights announced a settlement with MAPFRE Life Insurance of Puerto Rico under which the company paid $2.2 million to settle alleged violations of the HIPAA Privacy and Security Rules.
United States Food, Drugs, Healthcare, Life Sciences
Person photo placeholder
Authors
To print this article, all you need is to be registered or login on Mondaq.com.

On January 18, the U.S. Department of Health and Human Services' Office for Civil Rights (OCR) announced a settlement with MAPFRE Life Insurance of Puerto Rico under which the company paid $2.2 million to settle alleged violations of the HIPAA Privacy and Security Rules.

MAPFRE reported in September 2011 that a USB flash drive containing the electronic protected health information (ePHI) of 2,209 insurance beneficiaries was stolen from its IT department. The drive, which had been left unsecured overnight, contained names, Social Security numbers and dates of birth.

OCR's investigation determined that MAPFRE had failed to conduct a risk analysis and implement risk management plans, and had failed to encrypt data or deploy an equivalent measure on its laptops and removable drives until September 2014. According to OCR, MAPFRE also failed to implement corrective measures that it had informed OCR it would undertake.

In OCR's press release, Director Jocelyn Samuels said, "Covered entities must not only make assessments to safeguard ePHI, they must act on those assessments as well." The press release stated that in determining the penalty, "OCR balanced potential violations of the HIPAA Rules with evidence provided by MAPFRE with regard to its present financial standing," suggesting that OCR felt that the violations warranted an even steeper penalty.

In addition to the $2.2 million payment, MAPFRE entered into a Corrective Action Plan requiring it to conduct a thorough risk analysis and develop a risk management plan; implement a process to evaluate changes affecting the security of its ePHI; and review, revise and distribute its HIPAA policies and procedures to its workforce and business associates. MAPFRE must also periodically train its personnel, as all covered entities and business associates are already required to do under HIPAA.

For more articles and regular updates on legislative changes, regulatory developments and other news of interest to businesses, professionals and investors in the healthcare industry, please subscribe to Day Pitney's mailing lists.

Click here for more Healthcare Blogs from Day Pitney

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Person photo placeholder
Day Pitney LLP
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More