In what seems to be customary these days, The U.S. Department of Health and Human Services, Office for Civil Rights (OCR), has announced another HIPAA settlement based on the impermissible disclosure of unsecured electronic protected health information (ePHI).
The violation dates back to September 29, 2011 when MAPFRE filed a breach report with OCR siting that a USB data storage device containing ePHI was stolen from its IT department. Per the report, the USB contained complete names, DOB and social security numbers for 2,209 individuals.
Following the breach, OCR’s investigation revealed MAPFRE failed to take the necessary steps to comply with the HIPAA Rules, including conduct a risk analysis and implement a risk management plan until September 1, 2014. MAPFRE also failed to implement or delayed implementing other corrective measures it informed OCR it would undertake.
The moral of the story? The days of flying under the radar are over. Prioritize your ePHI and take the necessary steps now (not in a week, month or year..) to conduct a thorough security risk analysis and find out where your vulnerabilities lie. Do not put your organization in jeopardy and risk patient safety, costly fines and a damaging reputation.
To review the full Resolution Agreement and Corrective Action Plan, visit the OCR website: http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/MAPFRE