Originally Published April 26, 2017 by ePlace Solutions, Inc.
The latest HIPAA enforcement action involves the classic theft of an unencrypted laptop, but with an added twist.
The Office for Civil Rights (OCR) agreed to terms with CardioNet to settle violations of the HIPAA Security Rule. The settlement includes a hefty $2.5 million penalty along with a corrective action plan.
Who is CardioNet?
CardioNet is a technology company operating in Pennsylvania. They provide remote mobile heart-monitoring services for patients, and rapid response for those at risk of cardiac arrhythmias.
This represents OCR’s first HIPAA settlement with a wireless health services provider.
CardioNet first reported the incident to OCR’s office at the beginning of 2012. An employee’s laptop was stolen from their car while it was parked outside their house.
As we’ve seen in various cases before, the laptop was unencrypted and contained ePHI of 1,391 individuals.
OCR’s investigation revealed a couple shortcomings in CardioNet’s HIPAA compliance efforts.
First and foremost, the company failed to conduct a sufficient risk analysis or have adequate risk management processes in place. Additionally, their policies and procedures related to the HIPAA Security Rule’s requirements were still in draft form at the time of the theft.
During the investigation, CardioNet was unable to produce any final policies or procedures for safeguarding ePHI. The assumption is they were never implemented.
OCR chose not to place their focus on the unsecured, stolen device. Rather, their findings emphasized the company’s overall failure to implement required areas of compliance under HIPAA’s Security Rule.
After initially reporting the breach, OCR gave CardioNet the opportunity to shore up these issues on a voluntary basis. However, they noticed the company’s progress moving too slow, resulting in the formal enforcement action.
The parties agreed on a $2.5 million fine and corrective action plan as part of the settlement. The corrective action plan requires CardioNet to take the following compliance efforts:
- Conduct a risk analysis and develop a risk management plan based on the findings
- Implement revised policies and procedures with respect to safeguarding mobile devices
- Review and revise their workforce training program to comply with the Security Rule
The hefty fine is notable for a couple reasons:
The organization lacked the fundamental elements of HIPAA compliance – risk analysis and mitigation efforts. One common trend in OCR’s heavier penalties is the failure to conduct a risk analysis. All other risk management practices stem from the findings of an organization’s risk analysis. OCR has made it clear they will drop the hammer on healthcare organizations that neglect the compliance basics.
The other factor in this case was the company’s continued disregard for overall compliance. From the time of the incident to the investigation, CardioNet had plenty of time to implement the policies and procedures required under the Security Rule. The fact they had yet to finalize those policies and procedures demonstrated their lack or priority for compliance.
LAMMICO republished this article so that our policyholders will take note and ensure that they understand the difference between their basic Medefense™ Plus/Cyber Liability coverage (included in most LAMMICO policies) and their needs for higher limits, which can be purchased through our subsidiary, Elatas Risk Partners. Please contact Carly Thames, Customer Relations Specialist at firstname.lastname@example.org or 225.906.2062 for information on purchasing higher limits of Cyber Liability insurance.