2.5 Million Dollar HIPAA Settlement Highlights Three Important HIPAA Lessons

On April 24, 2017, the Office of Civil Rights (OCR) for the Department of Health and Human Services (the entity in charge of enforcing HIPAA) announced a $2.5 million dollar settlement with CardioNet.

CardioNet self-reported (as required by the Breach Notification Rule) an incident where an employee’s laptop was stolen from a locked car.  When OCR investigated the incident, it alleged that CardioNet had not completed a sufficient HIPAA “risk analysis” and had not finalized its policies and procedures.

Three valuable lessons that can be taken from this incident are:

  1. Encrypt laptops and other mobile devices! If the stolen laptop had been encrypted, CardioNet would not have needed to report this incident as a “breach” because the protected health information would not have been “unsecured.”  The Department of Health and Human services has posted guidance to help providers better understand how to encrypt laptops and other mobile devices.
  2. Ensure that your organization has HIPAA policies! These policies must address both the HIPAA Privacy Rule and the HIPAA Security Rule.  Draft policies are not sufficient and templates are not sufficient if they have not been customized to the covered entity.
  3. Complete and document a full Risk Assessment! This is a requirement of the HIPAA Security Rule and arguably the most important requirement because it will guide your organization’s decisions on which safeguards to put in place and how the HIPAA Security Requirements will be met.  This risk assessment should be reevaluated yearly and any time that there are changes within the organization (e.g., a new computer system or employees are provided with laptops).  The Department of Health and Human Services has posted resources to assist you with this process.

It is also important to remember that the HIPAA Rules apply not only to health care providers and other covered entities, but also anyone who is working as a business associate of the covered entity, i.e., anyone who is not part of the covered entity’s workforce who creates, receives, maintains, or transmits protected health information while providing services to the covered entity.

If you are interested in receiving a quote for the review, update or creation of HIPAA Policies and Procedures for your organization, please contact one of our healthcare attorneys.


Speak Your Mind