$2.5 Million HIPAA Settlement Illustrates Need to Adequately Assess Security Risks and Implement Safeguards

Regulation | April 25, 2017 | by

Although the case described below does not involve an aging services organization, it nevertheless illustrates the need for all covered entities under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) to conduct a thorough privacy and security rule risk assessment, and to implement safeguards to address those risks.

The U.S. Department of Health and Human Services, Office for Civil Rights (OCR), has announced a HIPAA settlement based on the impermissible disclosure of unsecured electronic protected health information (ePHI). PA-based wireless health services provider, CardioNet, agreed to settle potential noncompliance with the HIPAA Privacy and Security Rules by paying $2.5 million and implementing a corrective action plan.

In January 2012, CardioNet reported to the OCR that a workforce member's laptop was stolen from a parked vehicle outside of the employee's home. The laptop contained the ePHI of 1,391 individuals. OCR's investigation into the impermissible disclosure revealed that CardioNet had an insufficient risk analysis and risk management processes in place at the time of the theft. Additionally, CardioNet's policies and procedures implementing the standards of the HIPAA Security Rule were in draft form and had not been implemented. Further, the organization was unable to produce any final policies or procedures regarding the implementation of safeguards for ePHI, including those for mobile devices.

HHS has gathered tips and information to help protect and secure health information when using mobile devices.