Advisories
A Draft Won’t Do: OCR Settles with CardioNet $2.5m for Failing to Finalize Policies and Procedures
By Adam H. Greene, Rebecca L. Williams, and Sean R. Baird
05.01.17
On April 24, 2017, the Department of Health and Human Services’ Office for Civil Rights (“OCR”) announced that CardioNet, a provider of remote mobile monitoring and rapid response services to patients at risk for cardiac arrhythmias, has paid $2.5 million to settle alleged HIPAA violations. This is the first HIPAA settlement involving a remote or telehealth provider. This settlement announcement reminds covered entities and business associates of the importance of finalizing and implementing policies and procedures and conducting adequate risk analyses and risk management plans.
Summary of the CardioNet Breach
In January 2012, CardioNet notified OCR about a breach that occurred when a workforce member’s unencrypted laptop was stolen from the employee’s car, resulting in the impermissible disclosure of 1,391 patients’ electronic protected health information (ePHI). Shortly thereafter, OCR launched an investigation into the impermissible disclosure. OCR alleged that at the time of the theft CardioNet had an inadequate risk analysis and risk management plan in place. Moreover, OCR found that CardioNet had failed to implement final policies and procedures as required under the HIPAA Security Rule. Rather, those policies and procedures were in draft form at the time of the breach. Finally, CardioNet was unable to provide any final documentation regarding the implementation of safeguards for ePHI, notably those for mobile devices.
Take-Away Considerations
There are a number of important considerations that both covered entities and business associates should consider in light of OCR’s settlement with CardioNet.
Summary of the CardioNet Breach
In January 2012, CardioNet notified OCR about a breach that occurred when a workforce member’s unencrypted laptop was stolen from the employee’s car, resulting in the impermissible disclosure of 1,391 patients’ electronic protected health information (ePHI). Shortly thereafter, OCR launched an investigation into the impermissible disclosure. OCR alleged that at the time of the theft CardioNet had an inadequate risk analysis and risk management plan in place. Moreover, OCR found that CardioNet had failed to implement final policies and procedures as required under the HIPAA Security Rule. Rather, those policies and procedures were in draft form at the time of the breach. Finally, CardioNet was unable to provide any final documentation regarding the implementation of safeguards for ePHI, notably those for mobile devices.
Take-Away Considerations
There are a number of important considerations that both covered entities and business associates should consider in light of OCR’s settlement with CardioNet.
- Conduct a Comprehensive Risk Analysis Followed by a Thorough Risk Management Plan: Failure to conduct an adequate risk analysis and risk management plan is commonly cited as a deficiency in OCR settlements. Covered entities and business associates are required to conduct a risk analysis to assess potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI. See 45 C.F.R. § 164.308(a)(1)(ii)(A). Additionally, covered entities and business associates must develop a robust risk management plan to implement policies and procedures that address deficiencies identified in the risk analysis. See 45 C.F.R. § 164.308(a)(1)(i)(B). OCR has previously issued guidance on the risk analysis, available here. To demonstrate the importance of the risk analysis and risk management process, OCR included these as part of its last security desk audit.
- Policies and Procedures Must be Finalized: OCR cited CardioNet’s failure to implement finalized policies and procedures implementing the standards of the HIPAA Security Rule. Covered entities and business associates must finalize and formally implement their HIPAA policies and not lose momentum in the HIPAA compliance process. Policies and procedures should not include placeholders, gaps, “draft” watermarks, or temporary language. It may be helpful to retain evidence that policies have been approved and distributed to the workforce.
- Establish Sufficient Device and Media Controls: Covered entities and business associates must have policies and procedures governing receipt and removal of hardware and electronic media containing ePHI within and outside of the entity’s facility. 45 C.F.R. § 164.310(d). New OCR Director, Roger Severino, addressed this requirement in response to the CardioNet settlement, noting that “[m]obile devices in the healthcare sector remain particularly vulnerable to theft and loss. Failure to implement mobile device security by Covered Entities and Business Associates puts individuals’ sensitive health information at risk.” Covered entities and business associates should verify whether hardware and electronic media should contain ePHI and, if so, whether encryption is appropriate (which is almost always the case).
- Train Workforce Not to Leave Mobile Devices in Unattended Vehicles: A tremendous number of breaches are caused simply by workforce not maintaining control over mobile devices containing ePHI. It is not uncommon for vehicles to be broken into or stolen, so workforce should be trained not to leave devices unattended in vehicles.
- Size of a Breach does not Directly Correlate to Size of the Settlement: Less than a week ago, OCR announced a settlement with the Center for Children’s Digestive Health (“CCDH”) in Illinois. CCDH settled with OCR for approximately $31,000 following allegations of a breach affecting nearly 11,000 individuals. In contrast, OCR and CardioNet settled for $2.5 million following a breach of fewer than 1,400 individuals. OCR intends to provide guidance regarding the calculation of settlement amounts. While the size of the breach likely is a factor in determining the size of a settlement, it appears that the size of the entity and the number and scope of issues that cause the breach are even more significant.
- The OCR Settlement Process can be Lengthy: CardioNet reported a 2011 theft in 2012 but did not settle with OCR until 2017. To avoid this lengthy investigatory and settlement process, covered entities and business associates should verify that their policies and procedures are adequate and that risks are appropriately identified and managed. A helpful tool to use in reviewing privacy and security policies and procedures is Davis Wright Tremaine’s New Year’s Resolutions Toolkit, which provides tips and guidance to monitor privacy and security tasks throughout the year.
- OCR Enforcement Shows no Signs of Slowing Under the Trump Administration: OCR’s settlement with CardioNet marks the seventh settlement in 2017. Last year, OCR announced a record thirteen settlements, and the agency is on pace to surpass that figure in 2017. Additionally, the average settlement or civil monetary penalty through the end of 2015 was approximately $1.1 million. In contrast, the average for 2016 was $1.8 million, and the average for 2017 is $2 million to date. For additional information examining OCR’s recent trends, see the Davis Wright Tremaine HIPAA Enforcement Chart.