The Department of Health and Human Services Office for Civil Rights (OCR) recently announced a $2.5 million settlement with a wireless health services provider, CardioNet, for violations of the Health Information Portability and Accountability Act of 1996 (HIPAA). CardioNet, a company which provides remote mobile monitoring of and rapid response to patients at risk for cardiac arrhythmias, came under investigation in January 2012 after it notified OCR that an employee’s laptop which contained the ePHI of 1,391 individuals had been stolen. OCR’s investigation into the impermissible disclosure revealed that CardioNet did not have sufficient risk analysis and risk management processes in place at the time of the breach. In addition, CardioNet’s HIPAA security policies and procedures were only in draft form, and the company was not able to produce any final policies or procedures for safeguarding ePHI, including with respect to mobile devices.
In addition to agreeing to pay $2.5 million, CardioNet was required to enter into a corrective action plan to settle its alleged noncompliance with HIPAA Privacy and Security Rules. The corrective action plan requires CardioNet to:
- Conduct an analysis of security risks and vulnerabilities;
- Develop and implement a security risk management plan;
- Implement secure device and media controls; and
- Review and revise its training program to comply with the HIPAA Security Rule and to include a focus on security, encryption and handling of mobile devices and out-of-office transmissions.
During the past year, OCR has issued special guidance for mobile health application developers. Although this HIPAA settlement was the first involving a wireless health services provider, it may signal that OCR is focusing its gaze on this segment of the market. As such, mobile health services providers should review their existing electronic security policies and processes to ensure they comply with HIPAA.