Manufacturer CardioNet to Pay $2.5M HIPAA Settlement

This is the first HIPAA settlement involving a wireless health services provider.

Device manufacturer CardioNet reached a $2.5 million settlement with the HHS’ Office for Civil Rights for potential violations of the Health Insurance Portability and Accountability Privacy and Security Rules.

The potential violations occurred when a CardioNet employee’s laptop was stolen in January of 2012 from a parked vehicle outside of his home. The laptop contained unsecured electronic protected health information, or ePHI, of 1,391 people.

RELATED: Texas Hospital Fined $3.2M for Years of HIPAA Violations

CardioNet provides mobile monitoring and rapid response to patients at risk for cardiac arrhythmias, according to Healthcare Informatics.

The HIPAA settlement is the first of its kind involving a wireless health services provider.

OCR’s investigation revealed the company had insufficient risk analysis and management processes in place. The company could not produce finalized policies or procedures showing ePHI safeguards as required by the HIPAA Security Rule.

CardioNet agreed to a corrective action plan that includes the following:

  • CardioNet will conduct a security risk analysis incorporating its facilities, equipment, data systems and applications that contain, transmit or receive ePHI.
  • CardioNet will implement a security risk management plan to address vulnerabilities in its risk analysis.
  • CardioNet will revise its Security Rule Policies and Procedures, if necessary, paying close attention to media controls. The company must also provide HHS with certification that all laptops, flash drives, SD cards and other portable media devices are encrypted.
  • CardioNet will review and revise its training program, if necessary, focusing on security, encryption, and handling of mobile devices and out-of-office transmissions.

The company will be required to submit the results of all four implementations to the HHS for approval.

Read Next: When Does HIPAA Allow Hospitals to Give Patient Information to Police?

If you appreciated this article and want to receive more valuable industry content like this, click here to sign up for our FREE digital newsletters!

Leading in Turbulent Times: Effective Campus Public Safety Leadership for the 21st Century

This new webcast will discuss how campus public safety leaders can effectively incorporate Clery Act, Title IX, customer service, “helicopter” parents, emergency notification, town-gown relationships, brand management, Greek Life, student recruitment, faculty, and more into their roles and develop the necessary skills to successfully lead their departments. Register today to attend this free webcast!

Get Our Newsletters
Campus Safety Conference promo