The unprecedented rate of Health Insurance Portability and Accountability Act (HIPAA) settlements so far in 2017 continued with a $2.5 million agreement reached between the U.S. Department of Health and Human Services (HHS) and a wireless health services provider.
CardioNet, which provides remote monitoring and response for heart patients, is the first company of its kind to face an enforcement settlement with HHS’ Office for Civil Rights (OCR). Otherwise, however, the scenario is familiar.
In 2012, CardioNet reported the theft of a laptop with nearly 1,400 patients’ protected health information (PHI) from an employee’s car. On investigating the impermissible disclosure, the OCR determined that the company lacked an adequate risk analysis or risk management processes at the time of the theft.
Additionally, CardioNet’s policies and procedures implementing HIPAA’s security standards were in draft form and had not been implemented, the OCR alleged. Further, the Pennsylvania-based organization was unable to produce any final policies or procedures on implementing safeguards for electronic PHI, including those for mobile devices.
“Mobile devices in the health care sector remain particularly vulnerable to theft and loss,” said OCR Director Roger Severino April 24 in announcing the settlement. “Failure to implement mobile device security by covered entities and business associates puts individuals’ sensitive health information at risk,” he added. “This disregard for security can result in a serious breach, which affects each individual whose information is left unprotected.”