Device manufacturer CardioNet reached a $2.5 million settlement with the HHS’ Office for Civil Rights for potential violations of the Health Insurance Portability and Accountability Privacy and Security Rules.
The potential violations occurred when a CardioNet employee’s laptop was stolen in January of 2012 from a parked vehicle outside of his home. The laptop contained unsecured electronic protected health information, or ePHI, of 1,391 people.
RELATED: Texas Hospital Fined $3.2M for Years of HIPAA Violations
CardioNet provides mobile monitoring and rapid response to patients at risk for cardiac arrhythmias, according to Healthcare Informatics.
The HIPAA settlement is the first of its kind involving a wireless health services provider.
OCR’s investigation revealed the company had insufficient risk analysis and management processes in place. The company could not produce finalized policies or procedures showing ePHI safeguards as required by the HIPAA Security Rule.
CardioNet agreed to a corrective action plan that includes the following:
- CardioNet will conduct a security risk analysis incorporating its facilities, equipment, data systems and applications that contain, transmit or receive ePHI.
- CardioNet will implement a security risk management plan to address vulnerabilities in its risk analysis.
- CardioNet will revise its Security Rule Policies and Procedures, if necessary, paying close attention to media controls. The company must also provide HHS with certification that all laptops, flash drives, SD cards and other portable media devices are encrypted.
- CardioNet will review and revise its training program, if necessary, focusing on security, encryption, and handling of mobile devices and out-of-office transmissions.
The company will be required to submit the results of all four implementations to the HHS for approval.
Read Next: When Does HIPAA Allow Hospitals to Give Patient Information to Police?