Please be advised that contacting Ruder Ware by e-mail does not create an attorney-client relationship. If you contact the firm by e-mail with respect to a matter where the firm does not already represent you, any information which you disclose to us may not be regarded as privileged or confidential.


Accept   Cancel

Please be advised that contacting Ruder Ware by e-mail does not create an attorney-client relationship. If you contact the firm by e-mail with respect to a matter where the firm does not already represent you, any information which you disclose to us may not be regarded as privileged or confidential.


Accept   Cancel

PAL Login

linkedin.jpgyoutube.jpgvimeo.jpgtwitter_off.png View Ruder Ware

Health Care Blog

Lessons from OCR HIPAA Settlements - Mobile Device Security Standards

Authored by John H. Fisher, II
Posted on May 3, 2017
Filed under Health Care

In the first known case involving a wireless provider, a cardiology service provider agreed to pay a $2.5 million settlement based on the impermissible disclosure of unsecured electronic protected health information (ePHI).  The company provides remote mobile monitoring of and rapid response to patients at risk for cardiac arrhythmias.  The company disclosed to the Office of Civil Rights (OCR) that a workforce member’s laptop had been stolen from a vehicle parked outside of the employee’s home.  The laptop contained the ePHI of 1,391 individuals. The disclosure of this situation resulted in an OCR investigation that revealed the company did not maintain an adequate risk analysis and risk management process.  The investigation also revealed that HIPAA security policies were in draft form and had not been implemented.  No policies could be produced to specifically address safeguards protecting ePHI.

In the press release relating to this matter, the OCR made a special point to highlight the need to adopt and implement policies to address the special risks involved with using mobile devices in the health care industry.  OCR made a rather strong comment regarding the need to address mobile devices risks stating “[f]ailure to implement mobile device security by Covered Entities and Business Associates puts individuals’ sensitive health information at risk.  This disregard for security can result in a serious breach, which affects each individual whose information is left unprotected.”

Lesson 1 – Adopt and implement policies and procedures addressing security risks associated with the use of mobile devices.

Lesson 2 – Make sure your policies and procedures are in final form and have been adopted and implemented as active policies.

Lesson 3 – Many providers focus on HIPAA privacy policies and overlook HIPAA security standards.  Do not make this mistake.