In April of 2017, The U.S. Department of Health and Human Services has announced a HIPAA settlement based on the impermissible disclosure of unsecured ePHI. CardioNet, a Pennsylvania based wireless health services provider, has agreed to settle potential non-compliance with the HIPAA Privacy and Security Rules by paying $2.5 million and implementing a corrective action plan. This settlement is the first involving this type of provider, as CardioNet is a supplier and developer of an integrated technology and service which enables heartbeat-by-heartbeat, ECG monitoring, analysis and response for patients with cardiac arrhythmia.
Early in 2012, CardioNet informed the HHS Office for Civil Rights (OCR) that an employee’s parked vehicle was burglarized and a laptop containing the 1,391 ePHI records was stolen. OCR’s investigation discovered that CardioNet had the following issues at the time of the theft:
- an inadequate risk management processes;
- insufficient risk analysis;
- policies and procedures implementing the standards of the HIPAA Security Rule were in draft form and had not been implemented;
- an absence of final policies or procedures regarding the implementation of safeguards for ePHI, including those for mobile devices.
“Mobile devices in the health care sector remain particularly vulnerable to theft and loss,” said Roger Severino, OCR Director. “Failure to implement mobile device security by Covered Entities and Business Associates puts individuals’ sensitive health information at risk. This disregard for security can result in a serious breach, which affects each individual whose information is left unprotected.”
HHS has gathered tips and information to help protect and secure health information when using mobile devices: https://www.healthit.gov/providers-professionals/your-mobile-device-and-health-information-privacy-and-security that can be summarized in this video:
Is your organization using mobile devices? Does your business have adequate protection and security?
Give us a call at 201-493-1414 x 301 or submit a request for a complimentary consultation, today. Let’s start a conversation about improving your IT solutions.