A Malvern, Pa.-based wireless health services provider, CardioNet, has agreed to a $2.5 million HIPAA settlement that stemmed from the theft of an employee's laptop containing the electronic protected health information (ePHI) of more than 1,000 individuals. The U.S. Department of Health and Human Services Office for Civil Rights (OCR) announced the settlement on April 24, 2017.
During the course of OCR's investigation following CardioNet's report of the stolen laptop, it was discovered that the organization had insufficient risk analysis and risk management processes and did not have final policies or procedures in place regarding the implementation of safeguards for ePHI, including for mobile devices.
"Mobile devices in the health care sector remain particularly vulnerable to theft and loss," said Roger Severino, OCR Director.
The settlement serves as a reminder that there are steps that practices and organizations can take in terms of security for mobile devices. The U.S. Office of the National Coordinator for Health Information Technology (ONC) offers a resource that outlines five steps organizations can take to manage mobile devices used by health care professionals:
- Decide whether mobile devices will be used to access, receive, transmit, or store patients' health information or used as part of your organization's internal networks or systems (such as your EHR).
- Assess how mobile devices affect the risk to your organization's health information.
- Identify your organization's mobile risk device management strategy, including privacy and security safeguards.
- Develop, document, and implement the organization's mobile device policies and procedures.
- Train by conducting mobile device privacy and security awareness training.
ONC offers a variety of resources on mobile device and health information privacy and security, including how to protect and secure information when using a mobile device and a series of FAQs. Check them out here.
To access all of PAMED's HIPAA resources, visit www.pamedsoc.org/hipaa.