After an unencrypted USB drive was stolen from a life insurance company, the Office of Civil Rights (OCR) – the enforcement arm of HIPAA – levied a $2.2 million fine. But the fine was not levied directly in response to the theft.
MAPFRE Life Insurance Company did the right thing by self-reporting this theft, consisting of data from over 2,000 patients. This information included names, birthdates, and SSN. While this is a severe breach of patient data, the company could have avoided the fine.
OCR doesn’t want to levy fines against self-reported covered entities – they want you to be able to report without fear of retribution. But, what MAPFRE did wrong, was after developing a risk analysis and mitigation plan, they failed to follow through with the plan when OCR conducted a follow-up check-in.
As per OCR protocol, the Resolution Agreement is publicly available, and is found here: https://www.hhs.gov/sites/default/files/mapfre-ra-cap.pdf
Jocelyn Samuels, the OCR director, stated “We hope this settlement sends a strong message to covered entities, that they must engage in a comprehensive risk analysis and risk management to ensure that individuals’ electronic protected health information is secure.”
The Takeaway
A risk assessment and mitigation plan is vital to understanding risks to your data while avoiding hefty fines. It’s not enough to document your risks; you need to also follow through with the steps in order to mitigate the identified risks. In truth, you can have outdated equipment, outdated software, etc., as long as it’s documented and you are following through with a roadmap to contain these risks. Those who do not have a thorough assessment are in the crosshairs of OCR. Their message: take your data security seriously – not only to avoid fines, but to act as responsible stewards of your patients’ data.