A cardiac monitoring service pays $2.5 million after breaching protected health information
When it comes to protected health information, the regulators are serious. No matter how small you are, and no matter how insignificant a breach may seem, failure to understand and comply with Health Insurance Portability and Accountability Act (HIPAA) rules can have terrifying financial effects on a business.
In January 2012, a Pennsylvania-based medical monitoring company, CardioNet, reported to the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) that a laptop computer had been stolen from an employee’s car. The employee was inside their home at the time of the theft. The car was unlocked and parked outside.
The laptop contained the Electronic Protected Health Information (ePHI) of 1,391 individuals. CardioNet provides remote mobile monitoring for and rapid response to patients at risk for cardiac arrhythmias. Under HIPAA rules, CardioNet is considered a HIPAA “Covered Entity.”
Protected Health Information Breaches Are Costly
In 2017, CardioNet paid OCR $2.5 million for the unauthorized disclosure.
OCR’s investigation into the impermissible disclosure revealed that CardioNet had an insufficient risk analysis and risk management processes in place at the time of the theft.
Additionally, CardioNet’s policies and procedures implementing the standards of the HIPAA Security Rule were in draft form and had not been implemented.
Further, the Pennsylvania –based organization was unable to produce any final policies or procedures regarding the implementation of safeguards for ePHI, including those for mobile devices.
OCR Director Warns of Protected Health Information Breaches
“Mobile devices in the health care sector remain particularly vulnerable to theft and loss,” said Roger Severino, OCR Director. “Failure to implement mobile device security by Covered Entities and Business Associates puts individuals’ sensitive health information at risk. This disregard for security can result in a serious breach, which affects each individual whose information is left unprotected.”
In addition to the hefty fine, CardioNet was required to participate in a lengthy corrective action plan.
Do you have company laptops in the hands of employees? Are those employees trained? If so, are the training standards and HIPAA compliance infrastructure at your organization sufficient to pass an OCR investigation. If you’re not sure, we need to talk.