The U.S. Department of Health and Human Services, Office for Civil Rights (OCR), has announced a Health Insurance Portability and Accountability Act of 1996 (HIPAA) settlement based on the impermissible disclosure of unsecured electronic protected health information (ePHI).  MAPFRE Life Insurance Company of Puerto Rico (MAPFRE) has agreed to settle potential noncompliance with the HIPAA Privacy and Security Rules by paying $2.2 million and implementing a corrective action plan. With this resolution amount, OCR balanced potential violations of the HIPAA Rules with evidence provided by MAPFRE with regard to its present financial standing.  MAPFRE is a subsidiary company of MAPFRE S.A., a global multinational insurance company headquartered in Spain. MAPFRE underwrites and administers a variety of insurance products and services in Puerto Rico, including personal and group health insurance plans.

On September 29, 2011, MAPFRE filed a breach report with OCR indicating that a USB data storage device (described as a “pen drive”) containing ePHI was stolen from its IT department, where the device was left without safeguards overnight.   According to the report, the USB data storage device included complete names, dates of birth and Social Security numbers.   The report noted that the breach affected 2,209 individuals.   MAPFRE informed OCR that it was able to identify the breached ePHI by reconstituting the data on the computer on which the USB data storage device was attached. OCR’s investigation revealed MAPFRE’s noncompliance with the HIPAA Rules, specifically a failure to conduct its risk analysis and implement risk management plans, contrary to its prior representations, and a failure to deploy encryption or an equivalent alternative measure on its laptops and removable storage media until September 1, 2014.  MAPFRE also failed to implement or delayed implementing other corrective measures it informed OCR it would undertake. 

“Covered entities must not only make assessments to safeguard ePHI, they must act on those assessments as well” said OCR Director Jocelyn Samuels. “OCR works tirelessly and collaboratively with covered entities to set clear expectations and consequences.”

The Resolution Agreement and Corrective Action Plan may be found on the OCR website at http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/MAPFRE

OCR’s guidance on breach notification may be found at http://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html

To learn more about non-discrimination and health information privacy laws, your civil rights, and privacy rights in health care and human service settings, and to find information on filing a complaint, visit us at http://www.hhs.gov/hipaa/index.html

Follow OCR on Twitter at http://twitter.com/HHSOCR