On April 24, 2017, the Department of Health and Human Services, Office of Civil Rights (“OCR”), announced its first settlement with a wireless health services provider, CardioNet, Inc., for alleged violations of the Health Insurance Portability and Accountability Act of 1996 and related regulations (“HIPAA”). The settlement provides that CardioNet must pay $2.5 million in civil monetary penalties and complete a two-year corrective action plan under heightened OCR oversight.

CardioNet provides ambulatory cardiac monitoring services to patients. In January and February 2012, CardioNet reported to OCR breaches of unsecured electronic protected health information (“ePHI”) that affected over 3,500 individuals. The first breach was due to an employee’s laptop being stolen from a parked car outside the employee’s home. OCR did not release details about the circumstances leading to the second breach.

OCR discovered that CardioNet failed to conduct an accurate and thorough risk assessment and failed to create a plan to address security risks and vulnerabilities as required by 45 C.F.R. § 164.308(a). CardioNet’s policies and procedures to comply with the HIPAA Security Rule were in draft format and never finalized. As a result, CardioNet had no rules in place governing (1) the receipt and removal of hardware and electronic media containing ePHI into and out of CardioNet’s facilities; or (2) the encryption of ePHI as required by 45 C.F.R. §164.310(d). Further, CardioNet did not safeguard against impermissible disclosure of ePHI by employees, which resulted in an unauthorized person accessing patients’ ePHI.

In OCR’s announcement of the settlement, OCR Director, Roger Severino, said: “Failure to implement mobile device security by Covered Entities and Business Associates puts individuals’ sensitive health information at risk. This disregard for security can result in a serious breach, which affects each individual whose information is left unprotected.”

Action Steps for Covered Entities and Business Associates:

• Ensure that your organization has final versions of HIPAA policies and procedures in place.
• Train employees on your organization’s HIPAA policies and procedures.
• Conduct a risk assessment and create a place to address risks and vulnerabilities.
• Ensure that PHI stored on information systems and devices is encrypted, and if not encrypted, document why such information is not encrypted.

Sherman & Howard L.L.C. has prepared this advisory to provide general information on recent legal developments that may be of interest. This advisory does not provide legal advice for any specific situation and does not create an attorney-client relationship between any reader and the Firm.

©2017 Sherman & Howard L.L.C.                                                                                       April 25, 2017