March 29, 2020

March 29, 2020

Subscribe to Latest Legal News and Analysis

March 28, 2020

Subscribe to Latest Legal News and Analysis

March 27, 2020

Subscribe to Latest Legal News and Analysis

March 26, 2020

Subscribe to Latest Legal News and Analysis

Recent $2.5 Million OCR Settlement Is a Warning to Wireless Health Service Providers

On April 24, the US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced a Health Insurance Portability and Accountability Act of 1996 (HIPAA) settlement in the amount of $2.5 million based on the impermissible disclosure of unsecured electronic protected health information (ePHI) by a provider of remote mobile monitoring, with a focus on patients who are at risk for cardiac arrhythmias.

In January 2012, the remote monitoring company reported that a workforce member’s laptop containing the ePHI of over a thousand individuals was stolen from a parked vehicle outside of the employee’s home. A little over one year later, the same company reported a second breach that compromised the ePHI of twice as many individuals (details regarding this breach were not provided by OCR).

OCR’s investigation revealed that the company allegedly had insufficient risk analysis and risk management processes in place at the time of the theft. Additionally, the company’s draft policies and procedures implementing the standards of the HIPAA Security Rule had never been implemented, and the company was also unable to produce final versions of any policies or procedures regarding the implementation of safeguards for ePHI, including those for mobile devices.

This settlement is a reminder to covered entities and business associates, including wireless health service providers, to ensure that they have complete and up-to-date policies and procedures necessary to comply with the HIPAA Privacy and Security Rules. The HIPAA Security Rule also requires covered entities and business associates to conduct an accurate and thorough analysis of the potential risks and vulnerabilities of the confidentiality, integrity and availability of their ePHI, and implement reasonable and appropriate security measures to protect against reasonably anticipated threats or hazards to the security or integrity of ePHI.

“Failure to implement mobile device security by Covered Entities and Business Associates puts individuals’ sensitive health information at risk. This disregard for security can result in a serious breach, which affects each individual whose information is left unprotected,” said Roger Severino, director of the OCR, in the press release.

To help covered entities and business associates protect and secure ePHI when using mobile devices, the Office of the National Health Coordinator for Health Information Technology within the HHS, has provided tips and information, available here. Key tips include: (1) use a password or other user authentication; (2) install and enable encryption; (3) install and activate remote wiping and/or disabling; (4) disable and do not install file sharing applications; (5) install and enable a firewall and security software, including regular software updates; (6) research mobile applications before downloading them to your mobile device; (7) maintain physical control of mobile devices; (8) use adequate security to send or receive ePHI over public Wi-Fi networks; and (9) delete all stored ePHI before discarding or reusing a mobile device.

  contributed to this post.

© 2020 McDermott Will & Emery

TRENDING LEGAL ANALYSIS


About this Author

Lisa Schmitz Mazur, Health Law Attorney, McDermott Will Law Firm
Partner

Lisa Schmitz Mazur is a partner in the law firm of McDermott Will & Emery LLP and is based in the Firm’s Chicago office.  Lisa maintains a general health industry practice, focusing on the representation of hospitals and health systems and other health industry providers.

Lisa’s representation of hospitals and health systems includes providing guidance on not-for-profit corporate governance matters, tax-exemption issues, conflict of interest compliance and overall corporate compliance effectiveness.  In addition, Lisa regularly assists hospital and health system clients to...

312-984-3275
Associate

Amanda Enyeart is an associate in the law firm of McDermott Will & Emery LLP and is based in the Firm’s Chicago office.  Amanda focuses her practice on general regulatory health law matters. 

Previously, Amanda was an associate at a national law firm in its Chicago office where she provided guidance on regulatory issues, such as practitioner licensure; telehealth; Medicare and Medicaid reimbursement; and compliance with Stark Law and the Anti-Kickback Statute and state fraud and abuse laws.

Additionally, Amanda has counseled health care providers and health information technology vendors regarding data privacy and security and related implications of HIPAA and the HITECH Act as well as state data privacy laws. 

312 984 5488