CardioNet $2.5M Settlement Is Wireless Health Privacy First

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Jimmy H. Koo

Wireless cardiac monitoring service CardioNet Inc. has agreed to pay $2.5 million for allegedly losing a laptop containing the health information of 1,391 individuals, the Department of Health and Human Services Office for Civil Rights announced April 24.

The no-fault settlement is the first Health Insurance Portability and Accountability Act settlement involving a wireless health-care service provider, OCR said.

Wireless health-care service providers are subject to the same kind of patient data security federal oversight and enforcement action as other health-care companies. The case underscores the importance of companies involved in wireless transmission of health-care information not losing sight of basic non-wireless data security best practices, such as properly securing laptops.

Elliot R. Golding, a data privacy and cybersecurity partner at Squire Patton Boggs (US) LLP in Washington, told Bloomberg BNA April 24 that the settlement shows that the OCR is “focused on evolving technologies, such as mobile health solutions.”

In the past year, OCR has “issued guidance for mobile health application developers, helped develop a tool to evaluate the laws applicable to mobile health apps in connection with other agencies, and developed a portal designed to provide guidance to health app developers.” However, OCR’s allegations in the CardioNet resolution agreement are “largely similar to many of OCR’s prior settlements,” he said.

Security Policy Implementation Issues

According to the resolution agreement, in 2012 Pennsylvania-based CardioNet notified OCR that an employee’s laptop was stolen, compromising patients’ electronic protected health information (ePHI). The OCR said that CardiotNet had an insufficient risk analysis and management process in place. The enforcement action investigation concluded that the company’s HIPAA Security Rule policies and procedures were in draft form and hadn’t been implemented.

BioTelemetry Inc., CardioNet’s corporate parent, is the fifth largest public electrophysiology device company in the world with a $869.2 million market capitalization, Bloomberg data show. Electrophysiology involves monitoring electrical activity in the human heart to detect abnormal rhythms.

The company allegedly wasn’t able to provide any final policies or procedures for protecting ePHI, including for mobile devices. The HIPAA Security Rule sets national standards to protect ePHI by requiring appropriate administrative, technical and physical safeguards.

Settling the allegations without admitting any liability, CardioNet also agreed to implement a data security corrective action plan to address the missing safeguards.

CardioNet’s settlement shows that it is “critical for companies to conduct an accurate and thorough risk assessment and then implement a security management process to reduce risks to a reasonable and appropriate level,” Golding said. Policies and procedures are “more than a formality and need to be actually implemented and followed,” he said. Even small breaches can lead to an OCR investigation that results in a large settlement, Golding said.

CardioNet didn’t immediately respond to Bloomberg BNA’s email request for comment.

To contact the reporter on this story: Jimmy H. Koo in Washington at jkoo@bna.com

To contact the editor responsible for this story: Donald Aplin at daplin@bna.com

For More Information

Text of the settlement is available at https://www.hhs.gov/sites/default/files/cardionet-ra-cap.pdf

Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Bloomberg Law: Privacy & Data Security