Waiting to Finish That Comprehensive Risk Analysis? $2.5 Million Settlement Serves as a Warning That HIPAA Compliance Is Imperative.
The Breach and Settlement
On April 24, the U.S. Department of Health and Human Services’ (HHS) Office of Civil Rights (OCR) announced a $2.5 million settlement with CardioNet, Inc., a Pennsylvania company that provides patients with ambulatory cardiac monitoring. This is OCR’s first HIPAA settlement with a wireless health services provider.
OCR investigated CardioNet after an employee’s laptop was stolen from a car in the employee’s driveway, which resulted in the electronic protected health information (PHI) of 1,391 patients being compromised.
During its investigation, OCR found that CardioNet failed to conduct a comprehensive and accurate risk analysis in violation of 45 C.F.R. § 164.308(a)(1). While CardioNet had conducted a risk analysis, it was not compliant with HIPAA’s requirements. Further, OCR found that CardioNet failed to implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain electronic PHI, the encryption of such media, and the movement of those items within its facilities in violation of 45 C.F.R. § 164.310(d)(1). CardioNet had “draft” policies and procedures but failed to implement them at the time of the breach. Finally, OCR found that CardioNet failed to safeguard against the impermissible PHI disclosures and failed to take sufficient steps to immediately correct the disclosure.
Corrective Action Plan
OCR and CardioNet entered into a corrective action plan requiring CardioNet to do the following:
- conduct a comprehensive and thorough risk analysis of security risks and vulnerabilities and review the risk analysis at least annually;
- develop and implement an organization-wide risk management plan to address and mitigate any securities risks and vulnerabilities found in the risk assessment;
- review and revise its security rule policies and procedures based on the findings of the risk analysis and implementation of the risk management plan giving particular focus to device and media controls;
- provide certification that all laptops, flash drives, SD cards, and other portable media devices are encrypted; and
- review and revise training programs based on the findings of the risk analysis and risk management plan with focus on security, encryption, and handling of mobile devices and out-of-office transmissions.
In HHS’s announcement, OCR emphasized its concern with wireless health devices and HIPAA compliance. OCR Director Roger Severino stated, “Mobile devices in the health care sector remain particularly vulnerable to theft and loss. Failure to implement mobile device security by Covered Entities and Business Associates puts individuals’ sensitive health information at risk. This disregard for security can result in a serious breach, which affects each individual whose information is left unprotected.”
What is an employer or provider to do?
• Risk Assessment and Management:
- Make sure to conduct an annual risk analysis and that it is comprehensive and meets all HIPAA requirements. Consult with legal counsel to ensure such risk analysis is compliant and sufficiently thorough.
- Create and implement a risk management plan that is based off of the vulnerabilities and weaknesses discovered in the risk analysis. Discuss the risk management plan with legal counsel to make sure it encompasses all HIPAA requirements.
• Secure Your Mobile Devices:
- Create and draft specific policies and procedures that focus on mobile device security and be sure to implement and train all employees with access to PHI on these policies and procedures. The CardioNet settlement serves as a reminder that merely having policies and procedures is not enough; they must be implemented and followed.
- If such employees are using mobile devices that would have access to PHI, be sure such devices are encrypted.
Calfee stands ready to assist with a compliance review of your HIPAA practices.