Manufacturer CardioNet to Pay $2.5M HIPAA Settlement

This is the first HIPAA settlement involving a wireless health services provider.
Published: April 25, 2017

Device manufacturer CardioNet reached a $2.5 million settlement with the HHS’ Office for Civil Rights for potential violations of the Health Insurance Portability and Accountability Privacy and Security Rules.

The potential violations occurred when a CardioNet employee’s laptop was stolen in January of 2012 from a parked vehicle outside of his home. The laptop contained unsecured electronic protected health information, or ePHI, of 1,391 people.

RELATED: Texas Hospital Fined $3.2M for Years of HIPAA Violations

CardioNet provides mobile monitoring and rapid response to patients at risk for cardiac arrhythmias, according to Healthcare Informatics.

——Article Continues Below——

Get the latest industry news and research delivered directly to your inbox.

The HIPAA settlement is the first of its kind involving a wireless health services provider.

OCR’s investigation revealed the company had insufficient risk analysis and management processes in place. The company could not produce finalized policies or procedures showing ePHI safeguards as required by the HIPAA Security Rule.

CardioNet agreed to a corrective action plan that includes the following:

  • CardioNet will conduct a security risk analysis incorporating its facilities, equipment, data systems and applications that contain, transmit or receive ePHI.
  • CardioNet will implement a security risk management plan to address vulnerabilities in its risk analysis.
  • CardioNet will revise its Security Rule Policies and Procedures, if necessary, paying close attention to media controls. The company must also provide HHS with certification that all laptops, flash drives, SD cards and other portable media devices are encrypted.
  • CardioNet will review and revise its training program, if necessary, focusing on security, encryption, and handling of mobile devices and out-of-office transmissions.

The company will be required to submit the results of all four implementations to the HHS for approval.

Read Next: When Does HIPAA Allow Hospitals to Give Patient Information to Police?

ADVERTISEMENT
ADVERTISEMENT
Strategy & Planning Series
Strategy & Planning Series
Strategy & Planning Series
Strategy & Planning Series
Strategy & Planning Series