- The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) recently announced a HIPAA settlement stemming from allegations of a lack of ePHI safeguards.
MAPFRE Life Insurance Company of Puerto Rico (MAPFRE) agreed to the approximate $2.2 million settlement, in which it must also implement a corrective action plan.
MAPFRE settled potential HIPAA violations that alleged the organization did not have the necessary safeguards in place to keep a USB data storage drive protected.
An OCR breach report was filed on September 29, 2011, stating that the USB drive containing ePHI had been stolen from the MAPFRE IT department. Names, dates of birth, and Social Security numbers for 2,209 individuals were reportedly on the device.
OCR determined in its investigation that MAPFRE failed to conduct its risk analysis and implement risk a management plans, contrary to its prior representations. Furthermore, MAPFRE did not utilize encryption “or an equivalent alternative measure on its laptops and removable media until September 1, 2014.”
“Covered entities must not only make assessments to safeguard ePHI, they must act on those assessments as well” OCR Director Jocelyn Samuels said in a statement. “OCR works tirelessly and collaboratively with covered entities to set clear expectations and consequences.”
MAPFRE also failed to implement a security awareness and training program for workforce members, OCR explained in the resolution agreement. There were also not “reasonable and appropriate policies and procedures to comply with the standards, implementation specifications, or other requirements to safeguard ePHI.”
Per the corrective action plan, MAPFRE must do the following:
- Conduct a risk analysis and implement a risk management plan
- Implement process for evaluating environmental and operational changes
- Review – and revise if necessary – its current Privacy and Security Rules policies and procedures
- Distribute the policies and procedures. Assess, update, and revise them as necessary
- Workforce members must be given regular training, certifying they’ve received it
The implemented policies and procedures will also need to adhere to numerous aspects of the HIPAA Privacy and Security Rules. For example, MAPFRE must ensure that the proper uses and disclosures of PHI are followed, as well as proper device and media controls.
As previously discussed by HealthITSecurity.com, there are four general rules that covered entities must follow to ensure the protection of PHI:
- Ensure the confidentiality, integrity, and availability of all e-PHI they create, receive, maintain or transmit
- Identify and protect against reasonably anticipated threats to the security or integrity of the information
- Protect against reasonably anticipated, impermissible uses or disclosures
- Ensure compliance by their workforce.
An organization’s size, complexity, and capabilities must be considered, along with its technical, hardware, and software infrastructure.
“A covered entity must identify and analyze potential risks to e-PHI, and it must implement security measures that reduce risks and vulnerabilities to a reasonable and appropriate level,” HHS states on its website. “A covered entity must designate a security official who is responsible for developing and implementing its security policies and procedures.”
The risk analysis is also a key aspect of HIPAA administrative safeguards. Covered entities must evaluate the likelihood and impact of potential risks to ePHI, implement appropriate security measure to address those risk areas, and document the security measures. Where appropriate, the reason for adopting those measures should also be documented.
“Risk analysis should be an ongoing process, in which a covered entity regularly reviews its records to track access to e-PHI and detect security incidents, periodically evaluates the effectiveness of security measures put in place, and regularly reevaluates potential risks to e-PHI,” HHS explains.
No covered entity or business associate can guarantee that a data breach will never occur. However, by ensuring that the necessary safeguards are in place, they can show regulating authorities that they worked toward keeping data protected and did not overlook the requirements.