OCR Announces First HIPAA Settlement with Wireless Health Services Provider

Morgan Lewis
Contact

Morgan Lewis

The $2.5 million settlement reflects the agency’s focus on mobile health privacy.

On April 24, the US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced a settlement with CardioNet, a cardiac monitoring wireless device manufacturer, based on the impermissible disclosure of unsecured electronic protected health information (ePHI). OCR investigated CardioNet after CardioNet notified the agency in January 2012 of a breach of unsecured ePHI affecting 1,391 individuals, stemming from an employee’s stolen laptop. CardioNet has agreed to pay $2.5 million and enter into a corrective action plan to settle its potential noncompliance with the HIPAA Privacy and Security Rules.

Spotlight on Mobile Device Security

OCR’s settlement with CardioNet is the first HIPAA settlement involving a wireless health services provider. OCR’s investigation into the impermissible disclosure alleged that CardioNet failed to conduct an accurate and thorough risk analysis to assess the potential risks and vulnerabilities to the confidentiality, integrity, and availability of its ePHI, and that CardioNet did not plan for or implement security measures sufficient to reduce those risks and vulnerabilities. Additionally, OCR’s investigation revealed that CardioNet policies and procedures governing the receipt and removal of hardware and electronic media that contained ePHI, the encryption of such media, and the movement of these items within CardioNet facilities were in draft form but were not implemented until March 2015, more than three years after CardioNet notified OCR of the breach.

The requirements of OCR’s corrective action plan with CardioNet include the following:

  • conduct a comprehensive and thorough risk analysis of security risks and vulnerabilities;
  • develop and implement a risk management plan to address and mitigate any security risks and vulnerabilities found in the risk analysis and include details on the process and timing of its risk remediation activities;
  • review and revise its HIPAA Security Rule policies and procedures with particular attention regarding device and media controls;
  • provide certification that all laptops, flash drives, and other portable media devices are encrypted; and
  • review and revise CardioNet’s training programs to comply with the HIPAA Security Rule and include a focus on security, encryption, and handling of mobile devices and out-of-office transmissions.

Takeaways

OCR appears to be voicing its concern regarding HIPAA compliance and wireless health devices. In HHS’s release, OCR Director Roger Severino stated, “Mobile devices in the health care sector remain particularly vulnerable to theft and loss . . . . Failure to implement mobile device security by Covered Entities and Business Associates puts individuals’ sensitive health information at risk. This disregard for security can result in a serious breach, which affects each individual whose information is left unprotected.” CardioNet’s corrective action plan underscores OCR’s expectations for HIPAA Security Rule compliance in this sector. During the last year, OCR has issued guidance for mobile health application developers, and developed a portal designed to provide guidance to health app developers.

The corrective action plan’s emphasis on performing a risk analysis, implementing a risk management plan, and reviewing and revising specific policies and procedures focusing on mobile device security are consistent with the priorities of recent OCR enforcement actions and audits. Moreover, this recent settlement highlights that OCR is continuing to actively engage in HIPAA investigations and enforcement. CardioNet’s $2.5 million settlement is the third multimillion-dollar settlement OCR has entered into this year.

 

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Morgan Lewis | Attorney Advertising

Written by:

Morgan Lewis
Contact
more
less

Morgan Lewis on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.