First HIPAA Settlement Involving a Wireless Health Services Provider
On April 24, 2017, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced that CardioNet, Inc. (CNI) agreed to pay $2.5 million and enter into a Corrective Action Plan (CAP) to settle alleged violations of the HIPAA Privacy and Security Rules. This is the first HIPAA settlement involving a wireless health services provider.
CNI is provider of ambulatory cardiac monitoring services headquartered in Malvern, Pennsylvania. In January 2012, CNI reported a breach involving the electronic protected health information (e-PHI) of 1,391 individuals. The breach occurred when a CNI employee’s laptop was stolen out of the employee’s car outside of the employee’s residence. CNI reported a second breach on February 27, 2017 affecting the e-PHI of 2,219 individuals. No further details were provided in the Resolution Agreement or OCR’s press release about the February 27, 2017 breach. OCR initiated an investigation of CNI’s HIPAA compliance in May 2012.
According to the press release announcing the CNI settlement, OCR’s investigation demonstrated that CNI had an insufficient risk analysis and risk management program; had HIPAA Security Rule policies and procedures that were still in draft form; and there were no final policies governing safeguarding ePHI.
As part of the settlement, CNI entered into a two-year CAP with HHS. The CAP requires CNI to do the following:
- Conduct and submit to HHS a thorough risk analysis of security risks and vulnerabilities, including all CNI facilities and equipment, data systems and applications that control, store, transmit or receive e-PHI;
- Develop and submit to HHS a CNI-wide risk management plan to address and mitigate any risks identified in the risk analysis;
- Review and revise, as necessary, its HIPAA Security Rule policies and procedures, with particular attention to policies and procedures for device and media controls;
- Certify to HHS that all laptops, flashdrives, SD cards, and other portable media devices are encrypted, and provide a description of the encryption methods used; and
- Review and revise, as necessary, its Security Rule training program.
CNI did not admit any liability as part of the settlement.
The CNI Resolution Agreement and CAP are available here.
This is the fourth (4th) HIPAA settlement announced by the Trump Administration. See:
• Failure to Implement Business Associate Agreement Results in $31,000 Settlement For Health Care Provider
• Phishing Incident Leads to $400,000 HIPAA Settlement
• $5.5 Million HIPAA Settlement Matches Largest Payment To-Date
As the OCR’s enforcement efforts continue to focus on Security Rule compliance, the CNI settlement serves as a reminder to covered entities and business associates of the importance of having comprehensive and finalized Security Rule policies and procedures, including device and media controls. The CAP requirement that CNI encrypt all portable devices also suggests that, while encryption is an addressable (and not required) standard under the HIPAA Security Rule, the OCR may be skeptical whether not encrypting can be justified when covered entities and business associates use mobile devices in their businesses.
Saul Ewing attorneys counsel and assist covered entities and business associates with respect to HIPAA Privacy Rule and Security Rule compliance. For more information relating to Saul Ewing’s HIPAA compliance practice, please contact the authors or the Saul Ewing attorney with whom you are regularly in contact.