The $2.5 million settlement reflects the agency’s focus on mobile health privacy.
On April 24, the US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced a settlement with CardioNet, a cardiac monitoring wireless device manufacturer, based on the impermissible disclosure of unsecured electronic protected health information (ePHI). OCR investigated CardioNet after CardioNet notified the agency in January 2012 of a breach of unsecured ePHI affecting 1,391 individuals, stemming from an employee’s stolen laptop. CardioNet has agreed to pay $2.5 million and enter into a corrective action plan to settle its potential noncompliance with the HIPAA Privacy and Security Rules.
Spotlight on Mobile Device Security
OCR’s settlement with CardioNet is the first HIPAA settlement involving a wireless health services provider. OCR’s investigation into the impermissible disclosure alleged that CardioNet failed to conduct an accurate and thorough risk analysis to assess the potential risks and vulnerabilities to the confidentiality, integrity, and availability of its ePHI, and that CardioNet did not plan for or implement security measures sufficient to reduce those risks and vulnerabilities. Additionally, OCR’s investigation revealed that CardioNet policies and procedures governing the receipt and removal of hardware and electronic media that contained ePHI, the encryption of such media, and the movement of these items within CardioNet facilities were in draft form but were not implemented until March 2015, more than three years after CardioNet notified OCR of the breach.
The requirements of OCR’s corrective action plan with CardioNet include the following:
- conduct a comprehensive and thorough risk analysis of security risks and vulnerabilities;
- develop and implement a risk management plan to address and mitigate any security risks and vulnerabilities found in the risk analysis and include details on the process and timing of its risk remediation activities;
- review and revise its HIPAA Security Rule policies and procedures with particular attention regarding device and media controls;
- provide certification that all laptops, flash drives, and other portable media devices are encrypted; and
- review and revise CardioNet’s training programs to comply with the HIPAA Security Rule and include a focus on security, encryption, and handling of mobile devices and out-of-office transmissions.
OCR appears to be voicing its concern regarding HIPAA compliance and wireless health devices. In HHS’s release, OCR Director Roger Severino stated, “Mobile devices in the health care sector remain particularly vulnerable to theft and loss . . . . Failure to implement mobile device security by Covered Entities and Business Associates puts individuals’ sensitive health information at risk. This disregard for security can result in a serious breach, which affects each individual whose information is left unprotected.” CardioNet’s corrective action plan underscores OCR’s expectations for HIPAA Security Rule compliance in this sector. During the last year, OCR has issued guidance for mobile health application developers, and developed a portal designed to provide guidance to health app developers.
The corrective action plan’s emphasis on performing a risk analysis, implementing a risk management plan, and reviewing and revising specific policies and procedures focusing on mobile device security are consistent with the priorities of recent OCR enforcement actions and audits. Moreover, this recent settlement highlights that OCR is continuing to actively engage in HIPAA investigations and enforcement. CardioNet’s $2.5 million settlement is the third multimillion-dollar settlement OCR has entered into this year.