On April 24, 2017, the United States Department of Health and Human Services (HHS) through its Office of Civil Rights (OCR) announced a $2.5 Million settlement that should get the attention of every Covered Entity that lacks a formal HIPAA Compliance Plan.
CardioNet, a wholly owned subsidiary of BioTelemetry, is a cardiac monitoring service headquartered in Malvern, PA. It is a “Covered Entity” as defined by 45 C.F.R. §160.103, and therefore, required to comply with the HIPAA Privacy Rules. In 2012, CardioNet notified OCR of breaches of unsecured Electronic Protected Health Information (ePHI). OCR’s subsequent investigation of the breaches revealed that CardioNet:
- failed to conduct an accurate and thorough risk analysis to assess the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI and failed to plan for and implement security measures sufficient to reduce those risks and vulnerabilities and failed to implement the specifications required to establish a security management process to prevent, detect, contain, and correct security violations; and
- failed to implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain electronic protected health information into and out of its facilities, the encryption of such media, and the movement of these items within its facilities until March 2015; and
- failed to safeguard against the impermissible disclosure of protected health information by its employees, thereby permitting access to that information by an unauthorized individual, and failed to take sufficient steps to immediately correct the disclosure.
To avoid the uncertainty of further investigations and proceedings, CardioNet agreed to pay $2,500,000.00 and enter into a Corrective Action Plan (CAP) that requires the entity to:
- submit to HHS for review and approval a current, comprehensive and thorough Risk Analysis of security risks and vulnerabilities that incorporates its current facility or facilities and the electronic equipment, data systems, and applications controlled, currently administered or owned by CardioNet, that contain, store, transmit, or receive ePHI;
- implement an organization-wide Risk Management Plan to address and mitigate any security risks and vulnerabilities found in the Risk Analysis;
- review and revise its Security Rule Policies and Procedures and provider certification that all laptops, flash drives, SD cards, and other portable media devices are encrypted, together with a description of the encryption methods used; and
- review and revise its current Security Rule Training Program to comply with the HIPAA Security Rule and include a focus on security, encryption, and handling of mobile devices and out-of-office transmissions. In addition to these requirements, CardioNet must also fulfill a variety of reporting requirements to comply with the CAP. Any failure to satisfy the CAP requirements may result in civil monetary penalties.
Had CardioNet undertaken a comprehensive risk analysis and implemented the required safeguards against impermissible disclosure of ePHI, it likely would have avoided the breaches that gave rise to this expensive resolution. Cases such as this are a reminder to covered entities of the perils of not taking HIPAA compliance seriously.
Frier Levitt provides risk analyses, comprehensive HIPAA compliance plans, data breach analyses and reporting and required annual training for physicians and their staffs. Contact Frier Levitt to speak to an attorney.
