On April 24th 2017, CardioNet, a wireless health services provider, agreed on a 2.5 million dollar settlement with the Department of Health and Human Services, regarding their impermissible disclosure of unsecured electronic protected health information (ePHI). HIPAA (Health Insurance Portability and Accountability Act) was passed in 1996 to safeguard ePHI. CardioNet’s impermissible disclosure came about when an employee left a laptop containing ePHI in their car overnight, where it was stolen. Subsequently, CardioNet complied with the Breach Notification Rule and reported the theft to the Department of Health & Human Services office for Civil Rights, who began an investigation. The investigation compounded CardioNet’s problems when it revealed that the organization’s policies and procedures required to be in place were only in draft form.
The Department of Health & Human Services maintains a database of the breaches affecting five hundred or more individuals. Of the 1,955 cases where data was compromised, 373 were compromised from a laptop. Many of these cases could have been prevented by vigilant employees taking an extra 30 seconds to secure their laptop inside their residence overnight. While this could have the unintended consequence of more employees arriving to work the next day only to find their laptop is still at home, it might certainly result in less impermissible disclosures of ePHI, and a significant cost saving in terms of settlement fees for employers.
The breach itself was only one facet of CardioNet’s problem. It revealed that their company was not prepared to comply with the DHHS’s Security Rule. Here are just four provisions within the lengthy Rule that entities must comply with:
1: To ensure the confidentiality, integrity, and availability of all ePHI they create, receive, maintain or transmit. This means entities must restrict access of the ePHI from unauthorized individuals, ensure it is not destroyed or altered, and lastly that it is readily available to those who are authorized to use it.
2: Identify and protect against reasonably anticipated threats to the security or integrity of the information. Companies must perform risk assessments not just initially but continuously in order to manage current risks as well as those that change over time.
3: Protect against reasonably anticipated, impermissible uses or disclosures. Entities must take those vulnerabilities identified during risk assessment and put in place safeguards to mitigate such risks.
4: Ensure compliance by their workforce. Once policies are in place, management must play an active role in communicating and enforcing those policies to ensure they are effective.
After reading the case study of CardioNet we see that theft of portable electronic devices with ePHI is a substantial risk. One way that this can be safeguarded is to implement a policy to restrict taking laptops home that contain ePHI or communicating to employees that they are not permitted to be left overnight in personal vehicles as well as consequences if they are. For more information on the HIPAA requirements please visit: https://www.hhs.gov/hipaa/index.html
Author: Tony Cafferelli