February 21, 2019

February 20, 2019

Subscribe to Latest Legal News and Analysis

February 19, 2019

Subscribe to Latest Legal News and Analysis

February 18, 2019

Subscribe to Latest Legal News and Analysis

Wireless Healthcare Services Provider’s $2.5m Settlement Demonstrates Why Understanding HIPAA Requirements Is a Must

The U.S. Department of Health and Human Services Office for Civil Rights (OCR) announced a $2.5 million Health Insurance Portability and Accountability Act of 1996 (HIPAA) settlement with CardioNet, which is a company that provides remote mobile monitoring of and rapid response to patients at risk for cardiac arrhythmias. The settlement is based on CardioNet’s impermissible disclosure of unsecured electronic protected health information (ePHI).  

This settlement is noteworthy for two reasons. First, the monetary size of the settlement figure, which is $2.5 million, is staggering. Second, it is the first settlement involving a wireless healthcare services provider. 

The circumstances that led to the settlement are that in January 2012, CardioNet reported to OCR that an employee’s laptop, which contained the electronic protected health information (ePHI) of individuals, was stolen from the employee’s car. OCR’s investigation showed that CardioNet had insufficient risk analysis and risk management processes in place when the ePHI was stolen. The investigation also revealed that CardioNet’s policies and procedures designed to meet the standards of the HIPAA Security Rule had not been implemented at the time of the theft and were only in draft form. CardioNet was also unable to show OCR it had adopted any final policies or procedures regarding the implementation of safeguards for ePHI, including any for mobile devices. 

As we have written about before, mobile devices and healthcare employees that telecommute remain two areas in the healthcare industry that are particularly vulnerable to loss. A business’ failure to implement mobile device security makes sensitive ePHI easy for the taking and a company’s disregard for or failure to follow HIPAA’s rules can lead to significant fines and brand reputation distrust.  Applies whether or not healthcare services are provided at a facility or not.

© Copyright 2019 Dickinson Wright PLLC


About this Author

Sara H. Jodka, Dickinson Wright, largescale layoffs lawyer, employment reductions attorney
Of Counsel

Sara H. Jodka, Of Counsel at Dickinson Wright, dedicates her practice to working with employers to anticipate, identify, and resolve labor and employment, data privacy, related compliance issues and litigation risks in today’s ever evolving workplace. Sara devotes a significant part of her practice to proactively counseling employers in litigation prevention and overall compliance with state, federal, and administrative laws and regulations, which includes reviewing and revising employee handbooks and policies; counseling management regarding termination decisions (...