The U.S. Department of Health and Human Services Office for Civil Rights (OCR) announced on April 24, 2017, a $2.5 million settlement with mobile health services company CardioNet related to its “potential noncompliance” with the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules related to the exposure of unsecured electronic protected health information (ePHI) of more than a thousand individuals. OCR touted the settlement as its first with a wireless health services provider.
The settlement requires CardioNet to adopt a Corrective Action Plan, as part of which CardioNet must:
- conduct a risk analysis to identify the security risks and vulnerabilities to its systems that house ePHI;
- develop and implement a risk management plan to mitigate those risks and vulnerabilities;
- review—and potentially revise—its security policies for electronic devices and media; and
- review—and potentially revise—its training program related to the security of ePHI.