On April 24, 2017, the Office of Civil Rights (“OCR”) announced the first HIPAA settlement based on the impermissible disclosure of unsecured electronic protected health information by a wireless service provider. CardioNet, an ambulatory cardiac monitoring service, provides remote mobile monitoring of and rapid response to patients at risk for cardiac arrhythmias, agreed to pay $2.5 million, and to implement a corrective action plan.

As reported by the OCR, in 2012 CardioNet reported to the OCR the theft of a workforce member’s unencrypted laptop containing electronic PHI (“ePHI”) of 1,391 individuals. OCR’s investigation revealed that CardioNet had an insufficient risk analysis and risk management processes in place at the time of the theft.   Additionally, CardioNet’s provided the OCR draft policies and procedures implementing the HIPAA Security standards, and was unable to produce final policies or procedures implementing the security safeguards for ePHI, including mobile devices.

The Corrective Action Plan between OCR and CardioNet requires that CardioNet certify to OCR that all of its laptops and portable media devices are encrypted and to describe the encryption methodology. Although encryption is currently an “addressable” requirement under the HIPAA Security Rule, requiring CardioNet to encrypt its laptops and portable media devices illustrates how vital encryption can be to preventing PHI breaches, and how encryption has become an industry-standard protection.

In its press release, OCR cited to its guidance “Your Mobile Device and Health Information Privacy and Security at: https://www.healthit.gov/providers-professionals/your-mobile-device-and-health-information-privacy-and-security   That guidance emphasizes the importance of performing a risk analysis, developing a risk management strategy, developing and implementing policies and procedures, and privacy, security training and education when using mobile devices in a health care setting.