CardioNet, a Pennsylvania-based provider of remote mobile monitoring and rapid response services to patients at risk for cardiac arrhythmias, has agreed a $2.5 million settlement to resolve potential HIPAA violations.
Compensation settlements have, in the past been, agreed with healthcare providers, health plans, and business associates of covered bodies, but this is the first-time OCR has settled potential HIPAA breaches with a wireless health services provider.
The settlement relates to a data breach made known to OCR in January 2012. In 2011, an staff member of CardioNet left a laptop computer in a vehicle that was parked outside their home. The laptop computer was stolen, leading to the impermissible disclosure of 1,391 patients’ electronic protected health information (ePHI).
As is normal following all breaches involving the theft or exposure of more than 500 individuals’ PHI, OCR carried out an investigation to ascertain whether the breach was a direct result of violations of HIPAA Rules.
A risk analysis has been performed, but OCR investigators determined that the risk analysis was not comprehensive – a violation of 45 C.F.R. § 164.308(a)(1). Also, when the breach occurred, there were inadequacies in CardioNet’s risk management process.
By 2011, all HIPAA-covered entities were required to be in compliance with the HIPAA Security Rule, yet CardioNet’s HIPAA policies and procedures were still only in draft form and had not yet been put in place. OCR asked for final copies of policies and procedures covering the safeguarding of ePHI stored on mobile devices, yet CardioNet was unable to produce any HIPAA-compliant documentation in relation to the implementation of ePHI safeguards for mobile devices.
CardioNet was also found to have violated 45 C.F.R. § 164.310(d)(1) by failing to implement policies and procedures covering the receipt and removal of hardware containing ePHI and for the not implementing encryption – or another equivalent safeguard – to prevent the exposure of ePHI stored on mobile devices.
Any laptop computer or other mobile device that holds the ePHI of patients is vulnerable to theft or loss. When those devices are taken from the offices of a HIPAA-covered entity, the risk of theft or loss increases greatly. Covered entities must therefore put in place appropriate safeguards to ensure that, should those devices be stolen or lost, ePHI remains protected.
OCR Director, Roger Severino, stated that the “failure to implement mobile device security by Covered Entities and Business Associates puts individuals’ sensitive health information at risk. This disregard for security can result in a serious breach, which affects each individual whose information is left unprotected.”
This latest HIPAA compensation settlement will send a strong message to covered entities that the failure to be in accordance with HIPAA Rules can have serious financial ramifications. Additionally, it emphasizes the point that it is not only hospitals and health plans that run the risk of a significant financial penalty for failing to be acting in accordance with HIPAA Rules.