The U.S. Department of Health and Human Services, Office for Civil Rights (OCR) recently announced the first ever settlement related to a Covered Entity’s untimely breach notification in violation of HIPAA. Presence Health, a health care network in Illinois, discovered a breach of unsecured personal health information (PHI) on October 22, 2013. After reporting the breach to OCR over three months later on January 31, 2014, OCR determined that Presence Health failed to notify OCR, each of the affected individuals, and prominent media outlets of the breach without unreasonable delay and within 60 days of learning of the breach, as required of Covered Entities under HIPAA. The violation resulted in a $475,000 settlement between OCR and Presence Health.
OCR subsequently announced another settlement with an insurance company involving the impermissible disclosure of unsecured electronic PHI (ePHI). MAPFRE Life Insurance Company of Puerto Rico (MAPFRE), reported a breach to OCR in September 2011 regarding the theft of a USB storage device containing ePHI from its IT Department. MAPFRE administers and underwrites personal and group health insurance plans, among other insurance products and services. The ePHI included information such as individuals’ full names, dates of birth, and Social Security numbers. After conducting an investigation, OCR concluded that MAPFRE did not perform a risk analysis or implement a risk management plan and did not utilize encryption or similar security measure on its laptops and storage devices until September 1, 2014. MAPFRE had to pay $2.2 million and implement a corrective action plan to resolve these issues.
As these two recent settlements illustrate, OCR remains dedicated to investigating and enforcing all aspects of HIPAA’s Privacy and Security Rules. Covered Entities and Business Associates must stay diligent with their compliance with the Rules.