In a first-of-its-kind settlement for a wireless health care services provider, CardioNet, a Pennsylvania-based telemetry company, has agreed to pay $2.5 million to the U.S. Department of Health and Human Services (HHS) for a breach that led to the disclosure of the electronic protected health information (ePHI) of 1,391 individuals.
CardioNet provides remote mobile monitoring of and rapid response to patients at risk for cardiac arrhythmias. As disclosed in the HHS announcement of the settlement, in January 2012 a CardioNet workforce member’s laptop was stolen from a vehicle parked outside the employee’s home. The laptop contained the ePHI of 1,391 individuals. That, however, was only the beginning of CardioNet’s troubles. The company self-reported the breach, which led to an investigation by the HHS Office of Civil Rights (OCR). OCR’s investigation revealed that CardioNet had an insufficient risk analysis and risk management processes in place at the time of the theft. Additionally, CardioNet’s policies and procedures implementing the standards of the HIPAA Security Rule were in draft form and had not been implemented. In the coup de grâce, CardioNet was unable to produce any final policies or procedures regarding the implementation of safeguards for ePHI, including those for mobile devices.
As a telemetry company, CardioNet did not meet “face-to-face” with patients. Nevertheless, it met the definition of a covered entity under the HIPAA rules and was therefore confronted with the same compliance requirements as other healthcare providers regarding ePHI. Not only did CardioNet face a heavy financial settlement for the disclosure, it also agreed to an extensive Corrective Action Plan (CAP), requiring that it (1) conduct an comprehensive Risk Analysis of security risks and vulnerabilities that incorporates its current facility or facilities and the electronic equipment, data systems, and applications controlled, currently administered or owned by CardioNet,that contain, store, transmit, or receive ePHI; (2) develop and implement a Risk Management Plan to address and mitigate any security risks and vulnerabilities found in the Risk Analysis; (3) implement secure device and media controls; and (4) review and revise its employee training program.
The situation in which CardioNet finds itself was almost entirely preventable had it conducted appropriate compliance planning and implementation.