Another HIPAA compliance settlement outlines why it is so important to really understand the HIPAA requirements and follow through on action plans.
A press release posted on April 24 from the Office for Civil Rights (OCR) details a recent HIPAA settlement with CardioNet. This latest settlement carries the cost of $2.5 million.
CardioNet is a supplier of remote ambulatory cardiac monitoring services. The press release states that this is the first settlement with a wireless health services provider.
In January 2012, a CardioNet laptop was stolen from an employee’s vehicle outside of his or her home. The laptop reportedly contained the electronic protected health information (ePHI) of 1,391 patients, causing an OCR investigation into CardioNet and the incident. During the investigation, the OCR discovered CardioNet did not have a sufficient risk analysis or a risk management process in place. Additionally, CardioNet did not have completed policies and procedures for the HIPAA Security Rule requirements. Many were in draft form and there was nothing for mobile devices.
OCR and the Office of the National Coordinator for Health Information Technology (ONC) have issued guidance on the use of mobile devices and tips for securing ePHI on mobile devices. This guidance includes using passwords, encryption, remote wiping capabilities, and security software.
Remember: Encryption is one of the HIPAA requirements unless an organization can show proof that another method is feasible.
The OCR Director, Roger Severino states that “mobile devices in the health care sector remain particularly vulnerable to theft and loss.” Therefore, it would be wise for all health care organizations to follow through with the HIPAA requirement and encrypt all mobile devices.
Additionally, a HIPAA risk assessment and creation of policies and procedures should be completed if they haven’t been already. Otherwise, you may face a similar fine if you are investigated by the OCR.
Join HIPAAgps today and start using our many compliance tools including an extensive risk assessment, pre-made policy and procedure templates, an employee training module, educational videos and more.