First HIPAA Settlement Involving Wireless Health Services Provider

Michael Slipsky
Poyner Spruill LLP
Contact
LinkedIn
Facebook
X
Send
Embed

Poyner Spruill LLP

We have previously written that the Internet of Things continues to spawn new cybersecurity and privacy concerns. These vulnerabilities have already served as plot devices for shows such as Homeland. Now, the U.S. Department of Health and Human Services, Office for Civil Rights (OCR), has announced its first settlement with a wireless services provider.

The provider, which provides mobile monitoring to patients at risk for cardiac arrhythmias, had reported the theft of a laptop containing the electronic protected health information (ePHI) of approximately 1,400 individuals.

OCR’s investigation cited several factors that led to a finding of non-compliance:

  • Insufficient risk analysis and risk management processes in place at the time of the theft;
  • Policies and procedures implementing the standards of the HIPAA Security Rule had not been implemented; and
  • The organization could not furnish procedures for safeguarding ePHI, including those on mobile devices.

OCR Director Roger Severino noted that mobile devices remain particularly vulnerable to theft or loss. While this particular case involved a relatively mundane theft of a laptop computer, the organization’s mobile monitoring business serves as a timely reminder that as Internet-connected medical devices proliferate, so do the opportunities for ePHI security incidents. For every “smart” pacemaker or Internet-connected insulin pump, there will surely be a hacker trying to test its security. And as cloud-based applications and the Internet of Things continue to grow, OCR enforcement in the mobile arena will undoubtedly ramp up.

Covered Entities and Business Associates should:

  • Ensure that they have documented ePHI safeguards in place;
  • Conduct annual security assessment reviews and document the results; and
  • Encrypt data where possible.

When it comes to HIPAA compliance, an ounce of prevention can avert a pound (and even $2.5 million) of future pain.

The Resolution Agreement and Corrective Action Plan entered into in connection with this case may be found on the OCR website at https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/cardionet

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Poyner Spruill LLP | Attorney Advertising

Written by:

Poyner Spruill LLP
Poyner Spruill LLP
Contact
more
less

Poyner Spruill LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide