Photo of Drew Elizabeth McCormick

Drew Elizabeth McCormick maintains a general health industry and regulatory practice. Drew advises health care clients on a wide variety of health care regulatory issues, including Medicare and Medicaid regulations, the Federal Anti-Kickback Statute, Ethics in Patient Referral Law, False Claims Act and Health Insurance Portability and Accountability Act (HIPAA), as well as state fraud and abuse laws, privacy laws, licensure regulation, research regulation, and health care compliance matters. Drew also has experience counseling clients who are undergoing government audits and investigations. Read Drew Elizabeth McCormicks' full bio.

On April 24, the US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced a Health Insurance Portability and Accountability Act of 1996 (HIPAA) settlement in the amount of $2.5 million based on the impermissible disclosure of unsecured electronic protected health information (ePHI) by a provider of remote mobile monitoring, with a focus on patients who are at risk for cardiac arrhythmias.

In January 2012, the remote monitoring company reported that a workforce member’s laptop containing the ePHI of over a thousand individuals was stolen from a parked vehicle outside of the employee’s home. A little over one year later, the same company reported a second breach that compromised the ePHI of twice as many individuals (details regarding this breach were not provided by OCR).

OCR’s investigation revealed that the company allegedly had insufficient risk analysis and risk management processes in place at the time of the theft. Additionally, the company’s draft policies and procedures implementing the standards of the HIPAA Security Rule had never been implemented, and the company was also unable to produce final versions of any policies or procedures regarding the implementation of safeguards for ePHI, including those for mobile devices.


Continue Reading