January 31, 2017. In recent posts on the HIPAA Integrity® Website, we have urged our readers and clients to invest in security and to harden access to their IT systems in order to minimize the likelihood of a privacy breach or security incident and the consequences thereof. We commend to your attention an excellent January 23, 2017, Modern Healthcare Special Report written by Adam Rubenfire and Joseph Conn entitled: “Building a Better Cyberdefense: How to harness technology to protect your organization and patients from the latest cyberthreats.”
January 30, 2017. The January 24, 2017, Charleston, SC-based Post & Courier article entitled: “Camera used to take photos of newborn babies missing from Mount Pleasant hospital,” mischaracterizes several statements pertaining to the breach of a missing digital card containing protected health information “for approximately 500 babies born between November 2015 and November 2016.
January 25, 2017. On January 18, the Office for Civil Rights (OCR) of the U.S. Department of Health and Human Services (HHS) announced in a news release a $2,204,182 settlement with MAPFRE Life Insurance Company of Puerto Rico for the HIPAA Privacy violation of “impermissible disclosure of unsecured electronic protected health information [ePHI].” OCR’s investigation of the breach—a stolen non-safeguarded USB data storage device containing protected health information of 2,209 individuals—revealed that MAPFRE failed “to conduct its risk analysis and implement risk management plans, contrary to its prior representations, and a failure to deploy encryption or an alternative measure on its laptops and removable storage media.” According to the Resolution Agreement, MAPFRE failed to do the following pertaining to HIPAA compliance:
January 13, 2017. On January 9, 2017, the Office for Civil Rights (OCR) of the U.S. Department of Health and Human Services (HHS) announced that Presence Health Network of Illinois settled a HIPAA enforcement action for $475,000 for failure to report in writing in a timely manner as required by the HITECH Act Breach Notification Rule a breach of unsecured protected health information (PHI) in paper format in October 2013 that affected 836 individuals.