Recent $2.5 Million OCR Settlement Is a Warning to Wireless Health Service Providers

On April 24, the US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced a Health Insurance Portability and Accountability Act of 1996 (HIPAA) settlement in the amount of $2.5 million based on the impermissible disclosure of unsecured electronic protected health information (ePHI) by a provider of remote mobile monitoring, with a focus on patients who are at risk for cardiac arrhythmias.

In January 2012, the remote monitoring company reported that a workforce member’s laptop containing the ePHI of over a thousand individuals was stolen from a parked vehicle outside of the employee’s home. A little over one year later, the same company reported a second breach that compromised the ePHI of twice as many individuals (details regarding this breach were not provided by OCR).

OCR’s investigation revealed that the company allegedly had insufficient risk analysis and risk management processes in place at the time of the theft. Additionally, the company’s draft policies and procedures implementing the standards of the HIPAA Security Rule had never been implemented, and the company was also unable to produce final versions of any policies or procedures regarding the implementation of safeguards for ePHI, including those for mobile devices.

The full Resolution Agreement and Corrective Action Plan may be accessed here.

This settlement is a reminder to covered entities and business associates, including wireless health service providers, to ensure that they have complete and up-to-date policies and procedures necessary to comply with the HIPAA Privacy and Security Rules. The HIPAA Security Rule also requires covered entities and business associates to conduct an accurate and thorough analysis of the potential risks and vulnerabilities of the confidentiality, integrity and availability of their ePHI, and implement reasonable and appropriate security measures to protect against reasonably anticipated threats or hazards to the security or integrity of ePHI.

“Failure to implement mobile device security by Covered Entities and Business Associates puts individuals’ sensitive health information at risk. This disregard for security can result in a serious breach, which affects each individual whose information is left unprotected,” said Roger Severino, director of the OCR, in the press release.

To help covered entities and business associates protect and secure ePHI when using mobile devices, the Office of the National Health Coordinator for Health Information Technology within the HHS, has provided tips and information, available here. Key tips include: (1) use a password or other user authentication; (2) install and enable encryption; (3) install and activate remote wiping and/or disabling; (4) disable and do not install file sharing applications; (5) install and enable a firewall and security software, including regular software updates; (6) research mobile applications before downloading them to your mobile device; (7) maintain physical control of mobile devices; (8) use adequate security to send or receive ePHI over public Wi-Fi networks; and (9) delete all stored ePHI before discarding or reusing a mobile device.

Amanda EnyeartAmanda Enyeart
  Amanda Enyeart maintains a general health industry and regulatory practice, focusing on fraud and abuse, information technology and digital health matters. Amanda advises health care industry clients in all aspects of software licenses and other agreements for the acquisition electronic health record (EHR) systems and other mission critical health IT.  Amanda’s health care IT transactional experience also includes advising clients with respect to software development, maintenance, service and outsourced hosting arrangements, including cloud-computing transactions. Read Amanda Enyeart's full bio.


Drew Elizabeth McCormickDrew Elizabeth McCormick
Drew Elizabeth McCormick maintains a general health industry and regulatory practice. Drew advises health care clients on a wide variety of health care regulatory issues, including Medicare and Medicaid regulations, the Federal Anti-Kickback Statute, Ethics in Patient Referral Law, False Claims Act and Health Insurance Portability and Accountability Act (HIPAA), as well as state fraud and abuse laws, privacy laws, licensure regulation, research regulation, and health care compliance matters. Drew also has experience counseling clients who are undergoing government audits and investigations. Read Drew Elizabeth McCormicks' full bio.


Lisa MazurLisa Mazur
Lisa Mazur advises health care providers and technology companies on a variety of legal, regulatory and compliance matters with a particular focus on digital health topics, including telehealth, telemedicine, mobile health and consumer wellness. Lisa advises a variety of health care providers and technology companies involved in “digital health,” including assisting clients in developing and implementing telemedicine programs by advising on issues related to professional licensure, scope of practice, informed consent, prescribing and reimbursement. Lisa helps clients identify and understand the relevant legal issues, and develop and implement practical, forward-thinking solutions and strategies that meet the complex and still-evolving digital health regulatory landscape.  Read Lisa Mazur's full bio.

STAY CONNECTED

TOPICS

ARCHIVES