OCR still bites: HIPAA Hassle Costs Provider $2.5 million

by Roy Edroso on Apr 25, 2017
Looks like the Trump administration is going full speed ahead with Office of Civil Rights (OCR) prosecution of HIPAA violations as yet another provider gets dinged with a multimillion-dollar fine.
 
OCR announced April 24 a settlement with telemetry supplier CardioNet regarding an incident involving a laptop containing protected health information (PHI) of 1,391 individuals that was stolen from a parked vehicle in January 2012. 
 
Not only is that a breach by HIPAA standards, but OCR judged that CardioNet had "insufficient risk analysis and risk management processes in place at the time of the theft." Its policies and procedures also were found inadequate. Security risk analysis and policies and procedures are fairly elementary HIPAA must-dos, which may be why CardioNet got hit with a $2.5 million penalty and a Resolution Agreement and Corrective Action Plan  requiring the breach be "cured" within 30 days and its HIPAA compliance brought up to speed within 60 days. 
 
There has been some speculation that HHS Secretary Tom Price would go easy on HIPAA enforcement, but the administration's first days have seen some other big-ticket settlements, including a $3.2 million settlement with the Children's Medical Center of Dallas. 
Blog Tags: HHS, Privacy, security
The information contained herein was current as of the publication date. © Copyright DecisionHealth, all rights reserved. Electronic or print redistribution without prior written permission of DecisionHealth is strictly prohibited by federal copyright law.