On January 18, 2017, the Office for Civil Rights (OCR) announced a HIPAA settlement based on the disclosure of unsecured electronic protected health information (ePHI) by MAPFRE Life Insurance Company of Puerto Rico (MAPFRE) stored in a USB storage device.    Simply put, a thumb drive stolen in 2011 from MAPFRE’s IT department cost it an astounding $2.2 million as a “resolution amount” in addition to a fairly onerous corrective action plan.

Apparently, the fact that MAPFRE is the U.S. subsidiary of a large “global multinational insurance company headquartered in Spain” played some role in the harsh fine.  The USB data storage device included complete names, dates of birth and Social Security numbers and impacted 2,209 individuals.   Given that MAPFRE’s lack of encryption was an adverse mitigating factor for OCR, covered entities should bite the bullet and continue to encrypt all devices touching ePHI no matter what the budget constraints.

Another recent HIPAA settlement allowed OCR to shine a light on something else of concern to HHS, namely the need to report breaches within the 60-day reporting window applicable to breaches impacting 500 or more patients.  On January 9, 2017, OCR issued a press release that says it all:  “First HIPAA enforcement action for lack of timely breach notification settles for $475,000”.  Rather than report within 60 days, Presence Health – a large health care network serving Illinois, took 104 days to report the loss of “paper-based operating room schedules, which contained the PHI of 836 individuals.”  A spokesman from Presence Health said in a statement that contact and financial information were not even compromised.

As done in the past when it came to the need for properly-worded business associate agreements, undergoing a comprehensive risk analysis, and cooperating in investigations, covered entities should be appreciate the examples made of MAPFRE and Presence Health – encrypt and timely report after a breach.