The U.S. Department of Health and Human Services Office for Civil Rights (OCR) announced a $2.5 million Health Insurance Portability and Accountability Act of 1996 (HIPAA) settlement with CardioNet, which is a company that provides remote mobile monitoring of and rapid response to patients at risk for cardiac arrhythmias. The settlement is based on CardioNet’s impermissible disclosure of unsecured electronic protected health information (ePHI).  

This settlement is noteworthy for two reasons. First, the monetary size of the settlement figure, which is $2.5 million, is staggering. Second, it is the first settlement involving a wireless healthcare services provider. 

The circumstances that led to the settlement are that in January 2012, CardioNet reported to OCR that an employee’s laptop, which contained the electronic protected health information (ePHI) of individuals, was stolen from the employee’s car. OCR’s investigation showed that CardioNet had insufficient risk analysis and risk management processes in place when the ePHI was stolen. The investigation also revealed that CardioNet’s policies and procedures designed to meet the standards of the HIPAA Security Rule had not been implemented at the time of the theft and were only in draft form. CardioNet was also unable to show OCR it had adopted any final policies or procedures regarding the implementation of safeguards for ePHI, including any for mobile devices. 

As we have written about before, mobile devices and healthcare employees that telecommute remain two areas in the healthcare industry that are particularly vulnerable to loss. A business’ failure to implement mobile device security makes sensitive ePHI easy for the taking and a company’s disregard for or failure to follow HIPAA’s rules can lead to significant fines and brand reputation distrust.  Applies whether or not healthcare services are provided at a facility or not.