HIPAA Settlement With Wireless Health Services Provider Is Less Than Meets The Eye

Robert Keenan III
King & Spalding
Contact
LinkedIn
Facebook
X
Send
Embed

On April 24, the U.S. Department of Health and Human Services Office for Civil Rights (“OCR”) announced a $2.5 million HIPAA settlement with CardioNet, a wireless health services provider.  CardioNet provides remote mobile monitoring of and rapid response to patients at risk for cardiac arrhythmias.  OCR’s press release stated that “[t]his settlement is the first involving a wireless health services provider.”

However, as it turns out, the conduct at issue, although highly problematic, was in fact a quite old-fashioned fumble:  An unencrypted laptop containing the protected health information (“PHI”) of 1,391 individuals was stolen from a car parked outside an employee’s home.  OCR has consistently demonstrated its intolerance for the storage of PHI on unencrypted portable devices.  In fact, although OCR virtually always resolves enforcement actions through voluntary settlements, in February of this year, OCR took the extraordinary action of imposing a $3.2 million civil money penalty against a medical center that had experienced separate breach incidents involving an unencrypted laptop and Blackberry.  In that proceeding, OCR cited the medical center for, among other things, alleged “failure to deploy encryption or an equivalent alternative measure on all of its laptops, work stations, mobile devices and removable storage media” despite, according to OCR, the medical center’s longstanding knowledge about the risks of maintaining unencrypted PHI on its devices.

OCR also stated that according to its CardioNet investigation, the impermissible disclosure revealed that at the time of the theft, CardioNet had insufficient risk analysis and risk management processes in place and had failed to adopt and implement HIPAA security rule policies and procedures, which were in draft form.  Again, these alleged compliance failures are not in any way cutting-edge information security issues unique to wireless health services providers but instead involve issues of basic HIPAA blocking and tackling of longstanding concern to OCR.

Unlike some enforcement agencies, OCR is very transparent about its key HIPAA enforcement priorities, and encryption of portable electronic devices and media and meaningful risk assessment and management are at the top of the list.  OCR has published a number of guidance documents that can help covered entities and business associates make efficient use of their compliance resources, including guidance focused on mobile device security, remote access to information systems, electronic security risk assessments, data encryption and threats from ransomware.

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© King & Spalding | Attorney Advertising

Written by:

King & Spalding
King & Spalding
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

King & Spalding on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide