On January 18, 2017, the U.S. Department of Health and Human Services’ Office for Civil Rights (“OCR”) entered into a resolution agreement with MAPFRE Life Insurance Company of Puerto Rico (“MAPFRE”) relating to a breach of protected health information (“PHI”) contained on a portable storage device. This is the second enforcement action taken by OCR in 2017, following the action taken against Presence Health earlier this month for failing to make timely breach notifications.

In 2011, MAPFRE, which underwrites group health insurance plans, submitted a breach report to OCR indicating that it had suffered a breach when a USB data storage device was stolen from the company’s IT Department. OCR investigated MAPFRE and found that the entity had committed several HIPAA violations by failing to (1) conduct an adequate risk analysis, (2) implement a security awareness and training program and (3) encrypt ePHI on portable devices.

The resolution agreement requires MAPFRE to pay $2,204,182 to OCR and enter into a Corrective Action Plan that obligates MAPFRE to:

• conduct a risk analysis and implement a risk management plan;
• implement a process for evaluating environmental or operational changes that affect the security of ePHI;
• modify its policies and procedures based on the risk analysis and as necessary to comply with the HIPAA Privacy and Security Rules;
• distribute the revised policies and procedures to its workforce members;
• submit its security awareness training program to OCR and provide training to all workforce members;
• report any events of noncompliance with its HIPAA policies and procedures; and
• submit annual compliance reports for a period of three years.

In announcing the settlement with MAPFRE, OCR Director Jocelyn Samuels stated that, “[c]overed entities must not only make assessments to safeguard ePHI, they must act on those assessments as well.”