On April 24, 2017, the Department of Health and Human Services’ Office for Civil Rights (“OCR”) announced that CardioNet, a provider of remote mobile monitoring and rapid response services to patients at risk for cardiac arrhythmias, has paid $2.5 million to settle alleged HIPAA violations. This is the first HIPAA settlement involving a remote or telehealth provider. This settlement announcement reminds covered entities and business associates of the importance of finalizing and implementing policies and procedures and conducting adequate risk analyses and risk management plans.

This is the first HIPAA settlement involving a remote or telehealth provider.

Summary of the CardioNet Breach

In January 2012, CardioNet notified OCR about a breach that occurred when a workforce member’s unencrypted laptop was stolen from the employee’s car, resulting in the impermissible disclosure of 1,391 patients’ electronic protected health information (ePHI). Shortly thereafter, OCR launched an investigation into the impermissible disclosure. OCR alleged that at the time of the theft CardioNet had an inadequate risk analysis and risk management plan in place. Moreover, OCR found that CardioNet had failed to implement final policies and procedures as required under the HIPAA Security Rule. Rather, those policies and procedures were in draft form at the time of the breach. Finally, CardioNet was unable to provide any final documentation regarding the implementation of safeguards for ePHI, notably those for mobile devices.

Read the full analysis