The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has issued two HIPAA fines totaling $5.4 million. In both cases, OCR investigations revealed widespread violations of the HIPAA Privacy and Security Rules.
Both cases demonstrate OCR’s commitment to continued enforcement under the Trump administration. In 2016, fines totaled almost $24 million. Since the start of 2017 alone, OCR has levied over $5.8 million in fines for HIPAA violations.
MAPFRE Life Insurance Company of Puerto Rico, $2.2 Million
MAPFRE was fined $2.2 million by OCR for the improper disclosure of unsecured electronic protected health information (ePHI) on January 18, 2017.
MAPFRE is a subsidiary of a large, multinational insurance company based out of Spain. MAPFRE first reported a breach of unsecured ePHI in September of 2011. The company reported that a USB storage device containing the names, dates of birth, and Social Security numbers of 2,209 individuals was stolen from its IT department.
Over the course of its investigation, OCR determined that MAPFRE was noncompliant with the HIPAA Rules. MAPFRE had failed to conduct a risk analysis or implement necessary risk management plans. The organization also failed to follow necessary security protocols by not encrypting devices with access to ePHI such as laptops, USB drives, and other removable storage devices.
Former OCR Director Jocelyn Samuels commented on the settlement, saying that “Covered entities must not only make assessments to safeguard ePHI, they must act on those assessments as well. OCR works tirelessly and collaboratively with covered entities to set clear expectations and consequences.”
Children’s Medical Center of Dallas, $3.2 Million
Children’s Medical Center of Dallas (Children’s) was fined $3.2 million by OCR for the improper disclosure of ePHI and years of widespread noncompliance with the HIPAA Security Rule.
Children’s filed a breach report in January of 2010 after an unencrypted, non-password protected BlackBerry containing the ePHI of about 3,800 patients was lost. In addition, Children’s reported the theft of an unencrypted laptop in July of 2013, which had access to 2,462 patients’ ePHI.
OCR discovered that Children’s was widely out of compliance with HIPAA. The organization failed to implement risk management plans and failed to properly protect devices with access to ePHI, including laptops, work stations, mobile devices, and removable storage media.
OCR Acting Director Robinsue Forhboese commented on the investigation, saying that “Ensuring adequate security precautions to protect health information, including identifying any security risks and immediately correcting them, is essential.”
The $3.2 million fine came in the form of a civil money penalty–a relatively uncommon practice in HIPAA enforcement. Forhboese continued, “Although OCR prefers to settle cases and assist entities in implementing corrective action plans, a lack of risk management not only costs individuals the security of their data, but it can also cost covered entities a sizable fine.”