The U.S. Department of Health and Human Services, Office for Civil Rights (OCR), recently announced the first HIPAA settlement involving a wireless health services provider, is a big one. The wireless services provider agreed to the settlement by paying $2.5 million and implementing a corrective action plan for potential noncompliance with the HIPAA Privacy and Security Rules.
According to the announcement, CardioNet provides remote mobile monitoring of and rapid response to patients at risk for cardiac arrhythmias. They reported to OCR that a workforce member's laptop containing ePHI of 1.391 individuals was stolen from a parked vehicle outside of the employee's home in January of 2012.
OCR's findings revealed the following HIPAA requirements were missing at the time of the theft:
- Security risk analysis (SRA)
- Risk management processes
- Draft HIPAA policies and procedures that were not implemented
- Policies and procedures regarding safeguards for ePHI, including those for mobile devices
Prior to this announcement, Healthcare Compliance Pros published an article that included three important requirements:
- Implemented Policies and Procedures
- A Completed and Current Security Risk Analysis
- Documentation of Everything
This settlement demonstrates the importance of these three critical things.
If you have any questions or would like more information about how we can help your organization ensure compliance with HIPAA Privacy and Security Rules requirements, please feel free to contact us by phone: 855-427-0427 or by email: [email protected].