The US Department of Health and Human Services, Office for Civil Rights (“OCR”) recently announced that CardioNet, Inc., a cardiac monitoring services company, entered into a HIPAA settlement for $2.5 million resulting from the impermissible disclosure of unsecured electronic protected health information (“ePHI”). In addition to the settlement, CardioNet is required to engage in a specific Corrective Action Plan. CardioNet is the first wireless health services provider to settle with the OCR and all wireless services providers should take notice.
In January 2012, CardioNet reported a breach involving the theft of an employee’s laptop from a parked vehicle outside of the employee’s home. The laptop was unencrypted and contained the ePHI of 1,391 individuals. In February 2012, CardioNet reported a second incident affecting the ePHI of 2,219 individuals. After receiving the breach reports, OCR investigated. OCR’s investigation revealed that (i) CardioNet had insufficient risk analysis and risk management processes in place at the time of the theft; (ii) CardioNet’s policies and procedures implementing the standards of the HIPAA Security Rule were in draft form and had not been implemented; and (iii) CardioNet was unable to show that it had finalized and implemented any policies safeguarding ePHI, including safeguards for mobile devices.
Roger Severino, OCR Director, said: “Mobile devises in the health care sector remain particularly vulnerable to theft and loss. Failure to implement mobile device security by Covered Entities and Business Associates puts individuals’ sensitive health information at risk. This disregard for security can result in a serious breach, which affects each individual whose information is left unprotected.”
OCR is continuing its aggressive enforcement of compliance with the HIPAA Security Rule. Digital health vendors should review their HIPAA compliance programs to ensure that the Security Rule’s standards for safeguarding ePHI are implemented.