The new year continues as the old ended, with HIPAA enforcement actions. On Jan. 11, 2017, MAPFRE Life Insurance Company of Puerto Rico (MAPFRE Life) entered into a Resolution Agreement with the United States Department of Health and Human Services, Office for Civil Rights (HHS) in which MAPFRE Life agreed to pay approximately $2.2 million and enter into a corrective action plan (CAP) with a duration of three years in exchange for a release of HHS’ claims related to certain HIPAA violations by MAPFRE Life.

A cursory reading suggests that the $2.2 million payment imposed on MAPFRE Life was the result of a breach of approximately 2,200 records, which would put the payment amount far in excess of other fines issued by HHS for breaches of similar size.

A closer look, however, reveals that the fine is not a direct response to the fact that MAPFRE Life reported a stolen USB stick containing the 2,200 records. Instead, the breach report triggered an investigation of MAPFRE Life’s compliance with the HIPAA regulations, and here things became problematic for MAPFRE Life. The investigation not only confirmed the missing USB stick, it also revealed:

  • Failure to conduct a risk analysis of ePHI security risks and vulnerabilities;
  • Failure to implement a security awareness and training program
  • Failure to implement a mechanism to encrypt ePHI
  • Failure to implement reasonable and appropriate policies and procedures to safeguard ePHI

In other words, it appears that MAPFRE Life, at best, had a set of HIPAA policies stored away in a drawer somewhere, but did very little in terms of actually implementing these policies. To make matters worse, when prompted by HHS for a description of its HIPAA compliance program, MAPFRE Life, among other inaccurate representations, incorrectly asserted that it had deployed encryption on its portable devices post breach discovery, when in reality it did not complete the implementation of an encryption solution until almost three years after discovering and reporting the breach.

As a result of the investigation and after entering into the Resolution Agreement, MAPFRE Life is now subject to a three-year CAP that reads like a roadmap to HIPAA compliance. Pursuant to the CAP, MAPFRE Life is required to do the following:

  1. Perform a comprehensive risk analysis, including a complete inventory of all electronic equipment, such as media devices, data systems, and applications that contain or store ePHI, and develop risk management plan
  2. Implement a process for evaluating environmental and operational changes
  3. Implement existing policies and procedures
  4. Annual review and revision of policies and procedures
  5. No disclosure of ePHI to workforce members or business associates without written certification of compliance
  6. HIPAA training to workforce members within 30 days of hire

The burden for MAPFRE Life, in addition to having to pay $2.2 million, lies in the fact that HHS will be supervising every step of its HIPAA compliance program for the next three years. To other covered entities, it presents the opportunity to learn from MAPFRE Life’s mistakes by ensuring proper implementation of a satisfactory HIPAA compliance program in accordance with the detailed instructions HHS provided through the CAP.

Lessons learned (and relearned):

  • Encrypted devices reduce the risk of a breach and significantly limit a covered entity’s exposure in the event of a compliance audit
  • All portable devices containing PHI should at all times be accounted for
  • There are no “small” breaches – any breach report to HHS may trigger an audit
  • HHS expects covered entities to be serious about the implementation of policies and procedures
  • If a security incident or a breach exposes any weaknesses in the covered entity’s HIPAA compliance program, the entity should take immediate action to remedy the problem