HIPAA Horror Stories

Mobile Monitoring Mayhem

one-minute read

A cardiac monitoring service pays $2.5 million after breaching protected health information

When it comes to protected health information, the regulators are serious. No matter how small you are, and no matter how insignificant a breach may seem, failure to understand and comply with Health Insurance Portability and Accountability Act (HIPAA) rules can have terrifying financial effects on a business.

In January 2012, a Pennsylvania-based medical monitoring company, CardioNet, reported to the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) that a laptop computer had been stolen from an employee’s car. The employee was inside their home at the time of the theft. The car was unlocked and parked outside.

The laptop contained the Electronic Protected Health Information (ePHI) of 1,391 individuals. CardioNet provides remote mobile monitoring for and rapid response to patients at risk for cardiac arrhythmias. Under HIPAA rules, CardioNet is considered a HIPAA “Covered Entity.”

Protected Health Information Breaches Are Costly

In 2017, CardioNet paid OCR $2.5 million for the unauthorized disclosure.

OCR’s investigation into the impermissible disclosure revealed that CardioNet had an insufficient risk analysis and risk management processes in place at the time of the theft.

Additionally, CardioNet’s policies and procedures implementing the standards of the HIPAA Security Rule were in draft form and had not been implemented.

Further, the Pennsylvania –based organization was unable to produce any final policies or procedures regarding the implementation of safeguards for ePHI, including those for mobile devices.

OCR Director Warns of Protected Health Information Breaches

“Mobile devices in the health care sector remain particularly vulnerable to theft and loss,” said Roger Severino, OCR Director. “Failure to implement mobile device security by Covered Entities and Business Associates puts individuals’ sensitive health information at risk. This disregard for security can result in a serious breach, which affects each individual whose information is left unprotected.”

In addition to the hefty fine, CardioNet was required to participate in a lengthy corrective action plan.

Do you have company laptops in the hands of employees? Are those employees trained? If so, are the training standards and HIPAA compliance infrastructure at your organization sufficient to pass an OCR investigation. If you’re not sure, we need to talk.

Photo by freestocks on Unsplash

The HIPAA E-Tool® makes compliance fast and easy. Get your free HIPAA Quick Start kit, complete with a webcam privacy guard, HIPAA Hot Zone labels and a HIPAA checklist delivered directly to your office.

Don’t become a HIPAA Horror Story! HIPAA compliance is easy, when you know the rules.

Request A Demo

Copyright © 2020 ET&C Group LLC.

The HIPAA E-Tool® and Protecting Patient Privacy is Our Job®
are registered trademarks of ET&C Group LLC

Terms of Service | Privacy Policy

Powered by JEMSU

Mailing Address
The HIPAA E-Tool
PO Box 179104
St. Louis, MO 63117-9104

8820 Ladue Road Suite 200
Saint Louis, MO 63124

You may have questions about COVID-19 and HIPAA. We have answers. 

We are open and answering questions about all the new modifications and waivers, coming from HHS, OCR, CMS, and the new CARES act.

If you need help with HIPAA during the COVID-19 pandemic, fill in the form, and we’ll get back to you.

Free hipaa kit!

hipaa compliance Quick start kit
Delivered free