Cardiology vendor to pay $2.5M for HIPAA violation

CardioNet, a vendor of ambulatory cardiac monitoring products, has paid a $2.5 million fine and will implement a 2-year corrective action plan under a settlement agreement with the Office for Civil Rights of the Department of Health and Human Services, which enforces the HIPAA privacy and security rules.

HHS-art.jpg

The sanction follows the 2012 theft of a laptop from an employee’s car that compromised the security of electronic protected health information for 1,391 individuals.

OCR’s investigation, according to the agency, found that CardioNet had poor risk analysis and risk management processes in place at the time of the theft; policies and procedures to comply with the security rule still were in draft form and had not been implemented, the enforcement agency contends.

In its investigation, OCR further learned that CardioNet, now a part of BioTelemetry, had no final policies or procedures to implement safeguards for protected information, including those for mobile devices.

Also See: Why OCR is turning up the heat on business associates

“CardioNet failed to implement the specifications required to establish a security management process to prevent, detect, contain and correct security violations,” OCR noted in the resolution agreement.

The company, OCR added, did not have processes governing receipt and removal of media containing electronic protected health information, encryption and movement of these items within its facilities until March 2015. That means CardioNet did not take action until it was in trouble, a situation that is commonly happening when OCR investigates breaches.

Representatives of CardioNet or BioTelemetry did not respond to a request for additional information. The corrective action plan is available here.

For reprint and licensing requests for this article, click here.