Lessons from OCR HIPAA Settlements – Mobile Device Security Standards

By
May 3, 2017

In the first known case involving a wireless provider, a cardiology service provider agreed to pay a $2.5 million settlement based on the impermissible disclosure of unsecured electronic protected health information (ePHI).  The company provides remote mobile monitoring of and rapid response to patients at risk for cardiac arrhythmias.  The company disclosed to the Office of Civil Rights (OCR) that a workforce member’s laptop had been stolen from a vehicle parked outside of the employee’s home.  The laptop contained the ePHI of 1,391 individuals. The disclosure of this situation resulted in an OCR investigation that revealed the company did not maintain an adequate risk analysis and risk management process.  The investigation also revealed that HIPAA security policies were in draft form and had not been implemented.  No policies could be produced to specifically address safeguards protecting ePHI.

In the press release relating to this matter, the OCR made a special point to highlight the need to adopt and implement policies to address the special risks involved with using mobile devices in the health care industry.  OCR made a rather strong comment regarding the need to address mobile devices risks stating “[f]ailure to implement mobile device security by Covered Entities and Business Associates puts individuals’ sensitive health information at risk.  This disregard for security can result in a serious breach, which affects each individual whose information is left unprotected.”

Lesson 1 – Adopt and implement policies and procedures addressing security risks associated with the use of mobile devices.

Lesson 2 – Make sure your policies and procedures are in final form and have been adopted and implemented as active policies.

Lesson 3 – Many providers focus on HIPAA privacy policies and overlook HIPAA security standards.  Do not make this mistake.

author avatar
John H. Fisher II

Back to all News & Insights

Disclaimer

The content in the following blog posts is based upon the state of the law at the time of its original publication. As legal developments change quickly, the content in these blog posts may not remain accurate as laws change over time. None of the information contained in these publications is intended as legal advice or opinion relative to specific matters, facts, situations, or issues. You should not act upon the information in these blog posts without discussing your specific situation with legal counsel.

© 2024 Ruder Ware, L.L.S.C. Accurate reproduction with acknowledgment granted. All rights reserved.