The U.S. Department of Health and Human Services Office for Civil Rights (OCR) announced on April 24, 2017, a $2.5 million settlement with mobile health services company CardioNet related to its “potential noncompliance” with the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules related to the exposure of unsecured electronic protected health information (ePHI) of more than a thousand individuals. OCR touted the settlement as its first with a wireless health services provider.
The settlement requires CardioNet to adopt a Corrective Action Plan, as part of which CardioNet must:
- conduct a risk analysis to identify the security risks and vulnerabilities to its systems that house ePHI;
- develop and implement a risk management plan to mitigate those risks and vulnerabilities;
- review—and potentially revise—its security policies for electronic devices and media; and
- review—and potentially revise—its training program related to the security of ePHI.
Notably, CardioNet must seek approval from OCR for its risk analysis, risk management plan, security policy, and training program, as well as “provide certification that all laptops, flashdrives, SD cards, and other portable media devices are encrypted, together with a description of the encryption methods used.” CardioNet must submit annual reports on its compliance with the CAP for the next two years.
The settlement arises from the January 2012 theft of a CardioNet employee’s laptop from their car parked outside of their home. CardioNet reported the theft to OCR, which led to an investigation into CardioNet’s risk analysis and risk management processes, as well as its policies and procedures governing the protection of ePHI. OCR found that CardioNet “failed to conduct an accurate and thorough risk analysis to assess the potential risk and vulnerabilities to the confidentiality, integrity, and availability of ePHI and failed to plan for an implement security measures sufficient to reduce those risks and vulnerabilities.” Specifically, OCR found that CardioNet’s policies and procedures for implementing the HIPAA Security Rule were “in draft form and had not been implemented” and that the company was unable to produce any final versions of policies or procedures for safeguarding ePHI.
The settlement highlights OCR’s continued interest in policing health care companies’ safeguarding of electronic personal health information, as required by the HIPAA Privacy and Security Rules. Indeed, the settlement comes on the heels of OCR’s Linda Sanches’ statement in December 2016 that OCR plans to conduct more onsite audits during 2017 and will pay particular attention to covered entities’ implementation of risk analysis and risk management plans.
Theft of ePHI via hacking or other breaches has skyrocketed in recent years, with the Government Accountability Office reporting in August 2016 that the number of incidents of hacks or breaches of health care records involving 500 or more individuals went from 0 in 2009 to 56 in 2016. Such records can find their way to the Dark Web, where they are sold to criminals who use the information to commit fraud and identity theft. Entities covered by HIPAA and those that handle ePHI should consult with counsel regarding their compliance with relevant HIPAA rules, an increasing challenge as doctors and other health professionals move to maintaining health records in electronic, rather than paper form.