Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...
By Jimmy H. Koo
Wireless cardiac monitoring service CardioNet Inc. has agreed to pay $2.5 million for allegedly losing a laptop containing the health information of 1,391 individuals, the Department of Health and Human Services Office for Civil Rights announced April 24.
The no-fault settlement is the first Health Insurance Portability and Accountability Act settlement involving a wireless health-care service provider, OCR said.
Wireless health-care service providers are subject to the same kind of patient data security federal oversight and enforcement action as other health-care companies. The case underscores the importance of companies involved in wireless transmission of health-care information not losing sight of basic non-wireless data security best practices, such as properly securing laptops.
Elliot R. Golding, a data privacy and cybersecurity partner at Squire Patton Boggs (US) LLP in Washington, told Bloomberg BNA April 24 that the settlement shows that the OCR is “focused on evolving technologies, such as mobile health solutions.”
In the past year, OCR has “issued guidance for mobile health application developers, helped develop a tool to evaluate the laws applicable to mobile health apps in connection with other agencies, and developed a portal designed to provide guidance to health app developers.” However, OCR’s allegations in the CardioNet resolution agreement are “largely similar to many of OCR’s prior settlements,” he said.
According to the resolution agreement, in 2012 Pennsylvania-based CardioNet notified OCR that an employee’s laptop was stolen, compromising patients’ electronic protected health information (ePHI). The OCR said that CardiotNet had an insufficient risk analysis and management process in place. The enforcement action investigation concluded that the company’s HIPAA Security Rule policies and procedures were in draft form and hadn’t been implemented.
BioTelemetry Inc., CardioNet’s corporate parent, is the fifth largest public electrophysiology device company in the world with a $869.2 million market capitalization, Bloomberg data show. Electrophysiology involves monitoring electrical activity in the human heart to detect abnormal rhythms.
The company allegedly wasn’t able to provide any final policies or procedures for protecting ePHI, including for mobile devices. The HIPAA Security Rule sets national standards to protect ePHI by requiring appropriate administrative, technical and physical safeguards.
Settling the allegations without admitting any liability, CardioNet also agreed to implement a data security corrective action plan to address the missing safeguards.
CardioNet’s settlement shows that it is “critical for companies to conduct an accurate and thorough risk assessment and then implement a security management process to reduce risks to a reasonable and appropriate level,” Golding said. Policies and procedures are “more than a formality and need to be actually implemented and followed,” he said. Even small breaches can lead to an OCR investigation that results in a large settlement, Golding said.
CardioNet didn’t immediately respond to Bloomberg BNA’s email request for comment.
To contact the reporter on this story: Jimmy H. Koo in Washington at firstname.lastname@example.org
To contact the editor responsible for this story: Donald Aplin at email@example.com
Text of the settlement is available at https://www.hhs.gov/sites/default/files/cardionet-ra-cap.pdf
Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.
All Bloomberg BNA treatises are available on standing order, which ensures you will always receive the most current edition of the book or supplement of the title you have ordered from Bloomberg BNA’s book division. As soon as a new supplement or edition is published (usually annually) for a title you’ve previously purchased and requested to be placed on standing order, we’ll ship it to you to review for 30 days without any obligation. During this period, you can either (a) honor the invoice and receive a 5% discount (in addition to any other discounts you may qualify for) off the then-current price of the update, plus shipping and handling or (b) return the book(s), in which case, your invoice will be cancelled upon receipt of the book(s). Call us for a prepaid UPS label for your return. It’s as simple and easy as that. Most importantly, standing orders mean you will never have to worry about the timeliness of the information you’re relying on. And, you may discontinue standing orders at any time by contacting us at 1.800.960.1220 or by sending an email to firstname.lastname@example.org.
Put me on standing order at a 5% discount off list price of all future updates, in addition to any other discounts I may quality for. (Returnable within 30 days.)
Notify me when updates are available (No standing order will be created).
This Bloomberg BNA report is available on standing order, which ensures you will all receive the latest edition. This report is updated annually and we will send you the latest edition once it has been published. By signing up for standing order you will never have to worry about the timeliness of the information you need. And, you may discontinue standing orders at any time by contacting us at 1.800.372.1033, option 5, or by sending us an email to email@example.com.
Put me on standing order
Notify me when new releases are available (no standing order will be created)