[BreachExchange] Why HIPAA Compliance Matters: How a “small” breach can yield a large fine

Thu Feb 2 17:18:55 EST 2017

http://www.lexology.com/library/detail.aspx?g=283a296c-be87-4ef1-b921-
208b044e5ff6

The new year continues as the old ended, with HIPAA enforcement actions. On
Jan. 11, 2017, MAPFRE Life Insurance Company of Puerto Rico (MAPFRE Life)
entered into a Resolution Agreement with the United States Department of
Health and Human Services, Office for Civil Rights (HHS) in which MAPFRE
Life agreed to pay approximately $2.2 million and enter into a corrective
action plan (CAP) with a duration of three years in exchange for a release
of HHS’ claims related to certain HIPAA violations by MAPFRE Life.

A cursory reading suggests that the $2.2 million payment imposed on MAPFRE
Life was the result of a breach of approximately 2,200 records, which would
put the payment amount far in excess of other fines issued by HHS for
breaches of similar size.

A closer look, however, reveals that the fine is not a direct response to
the fact that MAPFRE Life reported a stolen USB stick containing the 2,200
records. Instead, the breach report triggered an investigation of MAPFRE
Life’s compliance with the HIPAA regulations, and here things became
problematic for MAPFRE Life. The investigation not only confirmed the
missing USB stick, it also revealed:

Failure to conduct a risk analysis of ePHI security risks and
vulnerabilities;
Failure to implement a security awareness and training program
Failure to implement a mechanism to encrypt ePHI
Failure to implement reasonable and appropriate policies and procedures to
safeguard ePHI

In other words, it appears that MAPFRE Life, at best, had a set of HIPAA
policies stored away in a drawer somewhere, but did very little in terms of
actually implementing these policies. To make matters worse, when prompted
by HHS for a description of its HIPAA compliance program, MAPFRE Life,
among other inaccurate representations, incorrectly asserted that it had
deployed encryption on its portable devices post breach discovery, when in
reality it did not complete the implementation of an encryption solution
until almost three years after discovering and reporting the breach.

As a result of the investigation and after entering into the Resolution
Agreement, MAPFRE Life is now subject to a three-year CAP that reads like a
roadmap to HIPAA compliance. Pursuant to the CAP, MAPFRE Life is required
to do the following:

Perform a comprehensive risk analysis, including a complete inventory of
all electronic equipment, such as media devices, data systems, and
applications that contain or store ePHI, and develop risk management plan
Implement a process for evaluating environmental and operational changes
Implement existing policies and procedures
Annual review and revision of policies and procedures
No disclosure of ePHI to workforce members or business associates without
written certification of compliance
HIPAA training to workforce members within 30 days of hire

The burden for MAPFRE Life, in addition to having to pay $2.2 million, lies
in the fact that HHS will be supervising every step of its HIPAA compliance
program for the next three years. To other covered entities, it presents
the opportunity to learn from MAPFRE Life’s mistakes by ensuring proper
implementation of a satisfactory HIPAA compliance program in accordance
with the detailed instructions HHS provided through the CAP.

Lessons learned (and relearned):

Encrypted devices reduce the risk of a breach and significantly limit a
covered entity’s exposure in the event of a compliance audit
All portable devices containing PHI should at all times be accounted for
There are no “small” breaches – any breach report to HHS may trigger an
audit
HHS expects covered entities to be serious about the implementation of
policies and procedures
If a security incident or a breach exposes any weaknesses in the covered
entity’s HIPAA compliance program, the entity should take immediate action
to remedy the problem
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170202/65a85547/attachment.html>