OCR Fines Wireless Health Services Provider $2.5M



The OCR announced the first monetary settlement and corrective action plan involving a wireless health services provider following the theft of a company laptop from an employee’s vehicle.

CardioNet, a company that provides remote mobile monitoring of cardiac arrhythmias, agreed to a corrective action plan and $2.5 million settlement, the Department of Health and Human Services, the Office of Civil Rights said April 24. 

The settlement was reached after OCR discovered multiple potential violations of the Health Insurance Portability and Accountability Act Privacy and Security Rules.

In January 2012, CardioNet notified OCR that an employee’s laptop containing the electronic protected health information of 1,391 individuals had been stolen from a parked vehicle outside the employee’s home.  

The OCR’s subsequent investigation revealed CardioNet had insufficient risk analysis and risk management processes in place and policies and procedures implementing the HIPAA Security Rule were in draft form and unimplemented. CardioNet was also unable to produce any final policies or procedures implementing safeguards for ePHI, including those for mobile devices.

The OCR urged companies that deal with electronic protected health information to protect and secure health information when using mobile devices. 

Companies that aren’t directly sharing protected health information with mobile devices but do so through third party administrators, subcontractors and cloud providers must ensure they have HIPAA-compliant business associate agreements, or could also face penalties.  

In April 2017, the Center for Children’s Digestive Health paid the OCR $31,000 to settle potential HIPAA violations when they could not produce a signed business agreement. (See related story, Skipping the HIPAA Business Associate Agreement Cost One Plan $31K.)

In Sept. 2016, Care New England Health System paid the OCR $400,000 for an out-of-date business associate agreement and its potential HIPAA violations. (See related story, Outdated HIPAA Agreement Costs Business Associate Big Bucks.

Gain a deeper understanding of the legal complexities of employee benefits and executive compensation with a free trial to Bloomberg Law: Benefits and Executive Compensation.