Two large fines – $475,000 and $2,200,000 – were imposed recently on covered entities for HIPAA violations related to breaches of protected health information. Together they illustrate the importance of conducting a Risk Analysis, understanding the Breach Notification Rule, and implementing a Risk Management Plan. In addition to the fines, both covered entities must implement corrective action plans.

In the first one, Presence Health, a health care network in Illinois, will pay $475,000 to the Office of Civil Rights (OCR) because it failed to report a breach of protected health information in a timely manner. This is the first-ever settlement resulting from an untimely breach notification. Presence Health consists of approximately 150 locations, including 11 hospitals and 27 long-term care and senior living facilities. Presence also has multiple physicians’ offices and health care centers in its system and offers home care, hospice care, and behavioral health services. 

In the second, MAPFRE Insurance Company of Puerto Rico will pay $2,200,000 resulting from a stolen USB storage device from its IT department. MAPFRE administers and underwrites personal and group health insurance plans, among other insurance products and services. In its investigation, the OCR discovered that MAPFRE had failed to perform a risk analysis or implement a risk management plan and did not utilize encryption or similar security measure on its laptops and storage devices.  

Both of these situations could have been prevented, using policies and procedures contained in The HIPAA E-Tool®. The landing page of the E-Tool, shown below, contains easy to navigate tabs that lead directly to instructions about what to do. There is no need to be confused about how to comply. It’s all explained clearly and simply in The HIPAA E-Tool®.