In the first known case involving a wireless provider, a cardiology service provider agreed to pay a $2.5 million settlement based on the impermissible disclosure of unsecured electronic protected health information (ePHI). The company provides remote mobile monitoring of and rapid response to patients at risk for cardiac arrhythmias. The company disclosed to the Office of Civil Rights (OCR) that a workforce member’s laptop had been stolen from a vehicle parked outside of the employee’s home. The laptop contained the ePHI of 1,391 individuals. The disclosure of this situation resulted in an OCR investigation that revealed the company did not maintain an adequate risk analysis and risk management process. The investigation also revealed that HIPAA security policies were in draft form and had not been implemented. No policies could be produced to specifically address safeguards protecting ePHI.
In the press release relating to this matter, the OCR made a special point to highlight the need to adopt and implement policies to address the special risks involved with using mobile devices in the health care industry. OCR made a rather strong comment regarding the need to address mobile devices risks stating “[f]ailure to implement mobile device security by Covered Entities and Business Associates puts individuals’ sensitive health information at risk. This disregard for security can result in a serious breach, which affects each individual whose information is left unprotected.”
Lesson 1 – Adopt and implement policies and procedures addressing security risks associated with the use of mobile devices.
Lesson 2 – Make sure your policies and procedures are in final form and have been adopted and implemented as active policies.
Lesson 3 – Many providers focus on HIPAA privacy policies and overlook HIPAA security standards. Do not make this mistake.