- The latest OCR HIPAA settlement was the first of its kind for a wireless health services provider, following allegations of ePHI disclosure due to a stolen laptop.
Pennsylvania-based CardioNet provides remote mobile monitoring of and rapid response to patients at risk for cardiac arrhythmias and agreed to a $2.5 million settlement.
CardioNet first reported to OCR in January 2012 that a laptop containing the ePHI of 1,391 individuals was stolen from a parked vehicle outside of an employee’s home.
OCR found in its investigation that CardioNet did not have a sufficient risk analysis and risk management processes in place when the device was stolen.
“Additionally, CardioNet’s policies and procedures implementing the standards of the HIPAA Security Rule were in draft form and had not been implemented,” OCR said in a statement. “Further, the Pennsylvania –based organization was unable to produce any final policies or procedures regarding the implementation of safeguards for ePHI, including those for mobile devices.”
CardioNet also notified OCR in February 2012 of a second potential ePHI breach involving the information of 2,219 individuals.
“CardioNet failed to implement the specifications required to establish a security management process to prevent, detect, contain, and correct security violations,” OCR explained in the resolution agreement. “Specifically, CardioNet failed to conduct an accurate and thorough risk analysis to assess the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI and failed to plan for and implement security measures sufficient to reduce those risks and vulnerabilities.”
Furthermore, CardioNet did not implement necessary policies and procedures on how electronic media containing ePHI should be treated, OCR wrote. This included encrypting mobile devices and how the devices could be moved from the facility.
The wireless health services provider also failed to put applicable safeguards in place for protecting against PHI disclosure by its own employees.
Along with paying the fine, CardioNet must adhere to a corrective action plan, which includes the following requirements:
- Conduct a risk analysis
- Develop and implement a risk management plan
- Implement secure device and media controls
- Review and revise its training program
“Mobile devices in the health care sector remain particularly vulnerable to theft and loss,” OCR Director Roger Severino said in a statement. “Failure to implement mobile device security by Covered Entities and Business Associates puts individuals’ sensitive health information at risk. This disregard for security can result in a serious breach, which affects each individual whose information is left unprotected.”
HHS also underlined the importance of mobile device security, and pointed to a page on the ONC website that further highlighted how covered entities and business associates can work toward ePHI security.
For example, organizations should decide whether mobile devices will be used to access, receive, transmit, or store patients’ health information. It should also be decided whether mobile devices will be used as part of the entity’s internal networks or systems.
“Consider how mobile devices affect the risks (threats and vulnerabilities) to the health information your organization holds,” the ONC website reads. “Identify your organization’s mobile device risk management strategy, including privacy and security safeguards.”
It is also necessary for organizations to develop, document, and implement its mobile device policies and procedures to safeguard health information.
Employee training should also be a top priority, and organizations must conduct mobile device privacy and security awareness and training for providers and professionals.
“Health care providers and professionals are using mobile devices in their work,” ONC said in a fact sheet. “Covered entities must comply with HIPAA Privacy and Security Rules to protect and secure health information, even when using mobile devices.”