In April 2017, the U.S. Department of Health and Human Services (“HHS”) announced yet another HIPAA settlement agreement with a health care provider relating to a stolen mobile device containing Protected Health Information (“PHI”). As part of this settlement agreement, CardioNet agreed to pay $2.5 million and implement a corrective action plan resulting from the breach of the PHI of 1,391 individuals, after a laptop was stolen from an employee’s car outside the employee’s home.
What makes this situation unique, however, is CardioNet provides wireless health services. CardioNet’s website advertises that it “has developed an integrated technology and service – Mobile Cardiac Outpatient TelemetryTM (MCOTTM) – which enables heartbeat-by-heartbeat, ECG monitoring, analysis and response, at home or away, 24/7/365.”
By no means do we try to single out CardioNet, but it is striking that an entity with a sophisticated electronic platform would fall victim to such a simple HIPAA breach: a stolen laptop. It makes you wonder, if CardioNet can’t get it right, how does my organization stand a chance?
The good news is that, while difficult, HIPAA compliance—even with respect to electronic PHI or ePHI—is not impossible. It does, however, require affirmative action steps and periodic compliance checks.
Most importantly, if your organization deals with ePHI, ask yourself (or better yet, your HIPAA Security Officer), have we conducted a written risk assessment recently? If not, that’s step one. HIPAA provides helpful information on this process on its website (which is available here). Additionally, there are a number of qualified entities that are available—at a fee—to assist with this process. According to the settlement agreement, this is one area that CardioNet skipped (or didn’t complete thoroughly).
Next, if your organization utilizes mobile devices, consider the impacts of HIPAA on those mobile devices. Again, on its website, HHS provides a straightforward five-step analysis to assist with this process. Here are those five steps:
- Decide – Decide whether mobile devices will be used to access, receive, transmit, or store patients’ health information or used as part of your organization’s internal networks or systems.
- Assess – Consider how mobile devices affect the risks (threats and vulnerabilities) to the health information your organization holds.
- Identify – Identify your organization’s mobile device risk management strategy, including privacy and security safeguards.
- Develop, Document, and Implement – Develop, document, and implement the organization’s mobile device policies and procedures to safeguard health information.
- Train – Conduct mobile device privacy and security awareness and training for providers and professionals.
Additional information about this five-step analysis (as well as other helpful information) is available here. Additionally, members of Miller Johnson’s Privacy and Cybersecurity Team can assist with steps two through five.
Finally, in future blog posts, we will explore the process of encryption, which could have prevented CardioNet’s breach.