The U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR), announced on April 24, 2017, a $2.5 Million settlement under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), with CardioNet, Inc., based on its alleged impermissible disclosure of unsecured electronic protected health information (ePHI). CardioNet provides remote mobile monitoring of and rapid response to patients at risk for cardiac arrhythmias.
In addition to the $2.5 Million payment, CardioNet agreed to implement a 2-year corrective action plan (CAP) in order to settle claims by OCR of CardioNet’s non-compliance with the HIPAA Privacy and Security Rules. The CAP imposes extensive OCR oversight of CardioNet’s activities, including requiring CardioNet to submit for review and approval, a “current, comprehensive and thorough Risk Analysis,” and an “organization-wide Risk Management Plan.” CardioNet is also required to provide “certification that all laptops, flash drives, SD cards, and other portable media devices are encrypted, together with a description of the encryption methods.”
According to the Resolution Agreement, CardioNet is a covered entity. On January 10, 2012, and February 27, 2012, CardioNet notified OCR of breaches of unsecured ePHI affecting 1,391 and 2,219 individuals, respectively, arising from an employee’s laptop (containing the ePHI) being stolen from a parked vehicle outside the employee’s home. According to OCR, their investigation revealed that CardioNet had an insufficient risk analysis and risk management processes in place at the time of the theft. OCR also noted that CardioNet’s policies and procedures implementing the standards of the HIPAA Security Rule were in draft form and had not been implemented.
CardioNet was also not able to produce any final policies or procedures regarding the implementation of safeguards for ePHI, including those for mobile devices. Roger Severino, OCR Director, stated in the HHS press release: “Mobile devices in the health care sector remain particularly vulnerable to theft and loss” and that failure to “implement mobile device security” puts individuals’ “sensitive health information at risk. This disregard for security can result in a serious breach, which affects each individual whose information is left unprotected.”
Key Takeaways:
-
Draft privacy and security policies that have not been implemented, lack of safeguards for mobile devices, inadequate risk analysis, and mitigation plans will likely not pass muster with the OCR.
-
Entities offering health care services with the use of mobile Apps and remote monitoring devices (viewed to be “particularly vulnerable” to theft, loss, and cyber-attack) are increasingly coming under the heightened scrutiny of regulators and prospective private action plaintiffs.