[firm] blog logo

HHS Settlement with HIPAA Covered Entity Exacts $2.5 Million Penalty for Non-compliance

The U.S. Department of Health and Human Services’ Office for Civil Rights (“OCR”) recently announced a $2.5 million HIPAA privacy and security settlement with CardioNet, a wireless health services provider and covered entity under HIPAA, based on CardioNet’s impermissible disclosure of unsecured electronic protected health information (“EPHI”). The disclosure occurred when a laptop computer belonging to a member of CardioNet’s workforce, which contained the unsecured EPHI of 1,391 individuals, was stolen from a parked vehicle outside of the workforce member’s home. CardioNet reported the breach to OCR and an investigation ensued, pursuant to which OCR determined that (i) CardioNet did not have a sufficient risk analysis and risk management process in place at the time of the theft, (ii) CardioNet had never actually implemented its draft policies and procedures for compliance with HIPAA’s security rules, and (iii) CardioNet was unable to produce any final policies or procedures regarding the implementation… Continue Reading

May 2017
S M T W T F S
« Apr   Jun »
 123456
78910111213
14151617181920
21222324252627
28293031  

Archives