HHS Reaches $2.2 Million Settlement With Life Insurance Company For Impermissible Disclosure Of ePHI

Drew Crawford
King & Spalding
Contact
LinkedIn
Facebook
X
Send
Embed

On January 18, the U.S. Department of Health and Human Services, Office for Civil Rights (“HHS OCR”) announced that it had agreed to a $2.2 million settlement with MAPFRE Life Assurance Company of Puerto Rico (“MAPFRE Life”), a subsidiary of MAPFRE S.A. of Spain, to resolve potential noncompliance with the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”).  The settlement relates to MAPFRE Life’s impermissible disclosure of unsecured electronic protected health information (“ePHI”). 

On September 29, 2011, MAPFRE Life reported that on August 5, 2011, a USB storage device containing the ePHI of 2,209 individuals was stolen from its IT department where it had been left overnight.  According to the report, the USB data storage device included complete names, dates of birth, and Social Security numbers.  HIPAA’s breach notification rule requires HIPAA covered entities that experience a breach affecting more than 500 individuals give notice to HHS OCR “without unreasonable delay” but no later than 60 days after discovery of the breach. 

HHS OCR initiated an investigation of the incident to evaluate MAPFRE Life’s compliance with HIPAA Rules and concluded that MAPFRE Life (1) failed to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI held by MAPFRE Life, (2) failed to implement sufficient security measures, (3) failed to implement a security awareness and training program for all members of its workforce, (4) failed to implement a mechanism to encrypt electronic PHI, and (5) failed to implement reasonable and appropriate policies and procedures to comply with the standards, implementation specifications, or other requirements to safeguard ePHI.

In addition to the $2.2 million civil penalty, MAPFRE Life entered into a three-year corrective action plan (“CAP”), under which MAPFRE Life agreed to a series of timetables for conducting a risk analysis and implementing a risk management plan, evaluating and updating its policies and procedures, and implementing training.  MAPFRE Life also must send HHS OCR an implementation plan within 150 days of signing the CAP, provide HHS OCR with annual reports for a period of three years, and retain all documents related to the CAP for a period of six years.

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© King & Spalding | Attorney Advertising

Written by:

King & Spalding
King & Spalding
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

King & Spalding on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide