The U.S. Department of Health and Human Services, Office for Civil Rights (OCR) announced a Health Insurance Portability and Accountability Act of 1996 (HIPAA) settlement against a Business Associate (BA), CardioNet. This penalty was based on the impermissible disclosure of unsecured electronic protected health information (ePHI) that was a result of not understanding HIPAA requirements.
CardioNet has agreed to settle potential noncompliance with the HIPAA Privacy and Security Rules by paying $2.5 million and implementing a corrective action plan.
This settlement is the first involving a wireless health services provider. CardioNet provides remote mobile monitoring of and rapid response to patients at risk for cardiac arrhythmias.
In January 2012, CardioNet reported to the HHS Office for Civil Rights (OCR) that a workforce member’s laptop was stolen from a parked vehicle outside of the employee’s home. The laptop contained the ePHI of 1,391 individuals. OCR’s investigation into the impermissible disclosure revealed
- CardioNet had an insufficient risk analysis and risk management processes in place at the time of the theft.
- CardioNet’s policies and procedures implementing the standards of the HIPAA Security Rule were in draft form and had not been implemented.
- The Pennsylvania –based organization was unable to produce any final policies or procedures regarding the implementation of safeguards for ePHI, including those for mobile devices.
See the Resolution Agreement on the OCR website at https://www.hhs.gov/sites/default/files/cardionet-ra-cap.pdf