Pensylvania-based CardioNet has agreed a $2.5 million settlement to resolve potential HIPAA violations. The provider of remote mobile monitoring and quick response services to patients in danger of suffering cardiac arrhythmias.
Settlements have previously been agreed with healthcare suppliers, health plans, and business clients of covered organizations, but this is the first-time OCR has settled potential HIPAA breaches with a wireless health services supplier.
While OCR has not fined a wireless health services provider for violating HIPAA Rules on a previous occasion, the same cannot be said of the violations found. Numerous settlements have previously been agreed with covered organizations after OCR found risk analysis and risk management failures.
In this instance, the settlement refers to a data violation reported to OCR in January 2012. In 2011, a staff member of CardioNet left a laptop computer in a vehicle that was left outside that person’s home. The laptop computer was stolen, leading to the impermissible disclosure of 1,391 patients’ electronic protected health information (ePHI).
As is normal following all breaches involving the theft or exposure of more than 500 peoples’ PHI, OCR completed an investigation to determine whether the breach was a direct result of breaches of HIPAA Rules.
On this occasion, a risk analysis has been completed, but OCR investigators deduced that the risk analysis was not thorough – a breach of 45 C.F.R. § 164.308(a)(1). Also, at the time of the violation, there were failures in CardioNet’s risk management process.
By 2011, all HIPAA-covered organizations were required to adhere with the HIPAA Security Rule, yet CardioNet’s HIPAA policies and procedures were still only in draft form and had not yet been put in place. OCR asked for final copies of policies and procedures covering the securing of ePHI kept on mobile devices, yet CardioNet was unable to show any HIPAA-compliant documentation regarding the implementation of ePHI safeguards for mobile devices.
CardioNet was found to have violated 45 C.F.R. § 164.310(d)(1) by failing to implement policies and procedures covering the receipt and removal of hardware storing ePHI and for the failure to use encryption – or another equivalent safeguard – to stop the exposure of ePHI stored on mobile devices.
Any laptop computer or other mobile device that is used to keep the ePHI of patients is in danger of theft or loss. When those devices are moved from the premises of a HIPAA-covered organization, the risk of theft or loss rises considerably. Covered organizations must therefore implement appropriate security measures to ensure that in the event of loss or theft of those devices, ePHI remains secured.
OCR Director, Roger Severino, referring to the incident, said “failure to implement mobile device security by Covered Entities and Business Associates puts individuals’ sensitive health information in danger. This disregard for safety can lead to a serious breach, which affects each person whose information is left unprotected.”
The latest HIPAA settlement should send a warning to covered organizations that the failure to adhere to HIPAA Rules can be an expensive mistake. Also, that it is not just hospitals and health plans that run the risk of a massive fine for failing to comply with HIPAA Rules.