HHS Settlement for $2.5 Million Highlights HIPAA Compliance Requirements

On April 24, 2017, HHS issued a press release announcing a settlement with CardioNet for $2.5 million based on the impermissible disclosure of unsecured electronic protected health information (ePHI). The announcement is significant because it is the first settlement involving a wireless health services provider, as CardioNet provides remote mobile monitoring of and rapid response to patients at risk for cardiac arrhythmias.

The specifics of the situation, which involve an employee’s laptop being stolen from a parked vehicle outside of their home, may be reviewed in the press release and resolution agreement issued by HHS. This settlement should serve as a reminder that all covered entities, including employers who self-insure their group health plans, must have sufficient risk analysis and risk management processes in place. The covered entity in this situation was unable to produce any final policies or procedures regarding the implementation of safeguards for ePHI, including those for mobile devices. In addition to the settlement, HHS will also require the covered entity to comply with a corrective action plan going forward.

HHS Press Release »
Resolution Agreement »
More Information »