On April 24, 2017, the U.S. Department of Health and Human Services’ Office for Civil Rights (“OCR”) announced that it had entered into a resolution agreement with CardioNet, Inc. (“CardioNet”) stemming from gaps in policies and procedures uncovered after CardioNet reported breaches of unsecured electronic protected health information (“ePHI”). CardioNet provides patients with an ambulatory cardiac monitoring service, and the settlement is OCR’s first with a wireless health services provider.
In early 2012, CardioNet submitted two breach notifications to OCR, one of which was prompted by the theft of a laptop from an employee’s parked vehicle outside of the employee’s home. During its subsequent investigation, OCR determined that CardioNet did not have an adequate risk analysis or risk management plan in place at the time of the theft, and that certain CardioNet policies and procedures addressing HIPAA Security Rule requirements existed only in draft form, having never been implemented. Additionally, CardioNet failed to produce any final policies and procedures regarding the implementation of safeguards for ePHI.
The resolution agreement required CardioNet to pay $2.5 million and enter into a corrective action plan (the “CAP”), which obligates CardioNet to:
- conduct a risk analysis;
- develop and implement a risk management plan;
- implement secure device and media controls;
- certify that all laptops, flashdrives, SD cards and other portable media devices are encrypted; and
- review and revise its training program for the Security Rule.
In addition to the above, the CAP requires CardioNet to report to OCR if it determines that a member of its workforce has failed to comply with its Security Rule policies and procedures (including corrective actions taken) and to submit reports on its compliance with the CAP to OCR.
OCR Director Roger Severino stated that “[m]obile devices in the health care sector remain particularly vulnerable to theft and loss” and that “[f]ailure to implement mobile device security by Covered Entities and Business Associates puts individuals’ sensitive health information at risk.”