On Monday, the US Department of Health & Human Services’ Office for Civil Rights announced that CardioNet has entered into a $2.5 million HIPAA settlement. CardioNet provides mobile cardiac monitoring services and is the first wireless health services provider to enter into a settlement with OCR. CardioNet had not performed a risk analysis or adopted a risk management plan; its Security Rule policies and procedures were still in draft form; and CardioNet was unable to show that it had finalized and implemented any policies safeguarding ePHI, including safeguards for mobile devices. This lack of compliance with the Security Rule contributed to the theft of an employee’s laptop containing the unsecured ePHI of 1,391 individuals.
Why Should You Care?
Under the new administration, OCR is continuing its crackdown on Covered Entities and Business Associates flouting compliance with the Security Rule. Roger Severino, OCR’s new Director, said “failure to implement mobile device security by Covered Entities and Business Associates puts individuals’ sensitive health information at risk. This disregard for security can result in a serious breach, which affects each individual whose information is left unprotected.” Per our warning last week, it seems clear that OCR is continuing its aggressive enforcement in this area.
What’s the Takeaway?
Failure to adequately safeguard ePHI can result in serious financial and reputational damage. Please take this opportunity to review your HIPAA compliance program, especially with respect to your implementation of the Security Rule’s standards for safeguarding ePHI.