Risk Analysis and Risk Management Errors Results in $2.5 Million HIPAA Settlement

Risk analysis and risk management errors have resulted in a $2.5 million HIPAA compliance penalty for CardioNet, a provider of remote mobile monitoring and rapid response services to patients at risk of cardiac arrhythmias.

The Department of Health and Human Services’ Office for Civil Rights agreed to settle the potential HIPAA violations with no admission of liability. In addition to the substantial HIPAA settlement, CardioNet is required to adopt a corrective action plan to address HIPAA failures that contributed to a 2011 data breach.

OCR investigated CardioNet following receipt of a breach report in January 2012. An employee of CardioNet took a laptop computer home and left the device in a vehicle overnight. The device was stolen, resulting in the unauthorised disclosure of 1,391 individuals’ electronic protected health information. The ePHI stored on the device was not protected by encryption.

HIPAA does not demand the use of encryption to protect ePHI on mobile devices, although if the decision is taken not to use encryption, another equivalent safeguard must be used to protect the confidentiality, integrity and availability of ePHI. CardioNet did not use encryption nor an equivalent safeguard.

OCR also determined that policies and procedures had not been put in place covering the receipt and removal of portable devices from CardioNet premises. Those policies were not implemented until March 2015.

CardioNet had performed a risk analysis prior to the theft of the laptop; however, OCR determined that the risk analysis was not comprehensive and up to the standard demanded by HIPAA. CardioNet also failed to establish a security management process to prevent, detect, contain, and correct security violations and reduce risks and vulnerabilities to an acceptable level.

While policies and procedures have now been implemented to ensure compliance with the HIPAA Security Rule, at the time of the OCR investigation, those policies and procedures were only in draft form and had not been implemented. OCR requested copies of the final policies and procedures regarding safeguards for ePHI stored on mobile devices, but CardioNet was unable to produce the appropriate documentation.

If ePHI is to be stored on mobile devices, HIPAA demands that appropriate safeguards are employed to ensure ePHI is not exposed or accessed by unauthorized individuals. The failure to implement appropriate safeguards places the confidentiality, integrity, and availability of ePHI at risk.

OCR has increased its enforcement activities and is now issuing more fines to covered entities that have failed to comply with the HIPAA Privacy, Security and Breach Notification Rules.

If a data breach is experienced and OCR discovers HIPAA violations during its investigation, heavy fines await. So far in 2017, OCR has fined seven covered entities for HIPAA violations that contributed to a data breach, and last year saw 12 HIPAA settlements agreed and one CMP issued. These settlements show that the failure to comply with HIPAA Rules can prove costly.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of NetSec.news