Lessons from OCR HIPAA Settlements - Mobile Device Security Standards

Ruder Ware
In the first known case involving a wireless provider, a cardiology service provider agreed to pay a $2.5 million settlement based on the impermissible disclosure of unsecured electronic protected health information (ePHI).  The company provides remote mobile monitoring of and rapid response to patients at risk for cardiac arrhythmias.  The company disclosed to the Office of Civil Rights (OCR) that a workforce member’s laptop had been stolen from a vehicle parked outside of the employee’s home.  The laptop contained the ePHI of 1,391 individuals. The disclosure of this situation resulted in an OCR investigation that revealed the company did not maintain an adequate risk analysis and risk management process.  The investigation also revealed that HIPAA security policies were in draft form and had not been implemented.  No policies could be produced to specifically address safeguards protecting ePHI.

In the press release relating to this matter, the OCR made a special point to highlight the need to adopt and implement policies to address the special risks involved with using mobile devices in the health care industry.  OCR made a rather strong comment regarding the need to address mobile devices risks stating “[f]ailure to implement mobile device security by Covered Entities and Business Associates puts individuals’ sensitive health information at risk.  This disregard for security can result in a serious breach, which affects each individual whose information is left unprotected.”

Lesson 1 – Adopt and implement policies and procedures addressing security risks associated with the use of mobile devices.

Lesson 2 – Make sure your policies and procedures are in final form and have been adopted and implemented as active policies.

Lesson 3 – Many providers focus on HIPAA privacy policies and overlook HIPAA security standards.  Do not make this mistake.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Ruder Ware | Attorney Advertising

Written by:

Ruder Ware

Ruder Ware on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.