HIPAA Blog

[ Sunday, January 22, 2017 ]

What's wrong with this picture? Someone stole a USB "pen drive" from MAPFRE Life Insurance Company of Puerto Rico. The storage device had PHI on it, including names, DOB, and SSN of 2200 people. No risk analysis, no risk management plan, and no encryption plan. OCR levied a fine for these HIPAA violations of $2.2 million (which is supposedly "low" because of the tenuous financial condition of the entity).

So, what's wrong? You should be asking, Hmmm, how come OCR is fining a life insurance company? That's what I thought, since life insurance companies are not "covered entities" under HIPAA. Well, there is an explanation: MAPFRE also offers personal and group health insurance plans, thus making it a covered entity. Mystery solved.

Jeff [11:33 PM]

Comments: Post a Comment

http://www.blogger.com/template-edit.g?blogID=3380636 Blogger: HIPAA Blog - Edit your Template