publications full of ideas
First HIPAA Settlement Involving Wireless Health Services Provider

4.28.2017

We have previously written that the Internet of Things continues to spawn new cybersecurity and privacy concerns. These vulnerabilities have already served as plot devices for shows such as Homeland. Now, the U.S. Department of Health and Human Services, Office for Civil Rights (OCR), has announced its first settlement with a wireless services provider.

The provider, which provides mobile monitoring to patients at risk for cardiac arrhythmias, had reported the theft of a laptop containing the electronic protected health information (ePHI) of approximately 1,400 individuals.

OCR’s investigation cited several factors that led to a finding of non-compliance:

  • Insufficient risk analysis and risk management processes in place at the time of the theft;
  • Policies and procedures implementing the standards of the HIPAA Security Rule had not been implemented; and
  • The organization could not furnish procedures for safeguarding ePHI, including those on mobile devices.

OCR Director Roger Severino noted that mobile devices remain particularly vulnerable to theft or loss. While this particular case involved a relatively mundane theft of a laptop computer, the organization’s mobile monitoring business serves as a timely reminder that as Internet-connected medical devices proliferate, so do the opportunities for ePHI security incidents. For every “smart” pacemaker or Internet-connected insulin pump, there will surely be a hacker trying to test its security. And as cloud-based applications and the Internet of Things continue to grow, OCR enforcement in the mobile arena will undoubtedly ramp up.

Covered Entities and Business Associates should:

  • Ensure that they have documented ePHI safeguards in place;
  • Conduct annual security assessment reviews and document the results; and
  • Encrypt data where possible.

When it comes to HIPAA compliance, an ounce of prevention can avert a pound (and even $2.5 million) of future pain.

The Resolution Agreement and Corrective Action Plan entered into in connection with this case may be found on the OCR website at https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/cardionet

Saad Gul and Mike Slipsky, editors of NC Privacy Law Blog, are partners with Poyner Spruill LLP. They advise clients on a wide range of privacy, data security, and cyber liability issues, including risk management plans, regulatory compliance, cloud computing implications, and breach obligations. Saad (@NC_Cyberlaw) may be reached at 919.783.1170 or sgul@poynerspruill.com. Mike may be reached at 919.783.2851 or mslipsky@poynerspruill.com.

Physical Address: 301 Fayetteville Street, Suite 1900, Raleigh, NC 27601

related information

what's new at the firm

Webinar: ERISA Fiduciaries, Data Privacy and Cybersecurity Risks: HIPAA, HITECH, and ERISA Preemption of State Data Breach Laws

6/20/2017

This CLE webinar will provide guidance to employee benefits counsel on trends in data breaches for ERISA healthcare and retirement plans, lessons from recent BCBS/Anthem litigation, ERISA fiduciary obligations, ERISA preemption of state data breach laws, and contractual risk mitigation with third-party administrators (TPAs).

Poyner Spruill Attorneys Honored by Chambers USA in Seven Practice Areas

6/2/2017

RALEIGH - Chambers USA: America's Leading Lawyers for Business has ranked seven practice areas and sixteen Poyner Spruill LLP attorneys as leaders in their respective fields. Poyner Spruill received rankings, which identify the firm as a leader in North Carolina, for outstanding work in the following practice areas:

Charlie Davis Joins Poyner Spruill

6/1/2017

Charles E. “Charlie” Davis III has joined Poyner Spruill as an associate attorney practicing in the areas of estate and trust planning and administration, taxation, and business law.

Brett A. Carpenter joins Poyner Spruill

6/1/2017

Raleigh, NC – Brett A. Carpenter has joined Poyner Spruill’s Raleigh office as an associate, with a focus on helping clients with labor and employment law matters.

Five Poyner Spruill Attorneys Recognized for Pro Bono Efforts

5/31/2017

Raleigh, NC – Four Poyner Spruill attorneys have been inducted into the inaugural cohort of the Pro Bono Honor Society by the N.C. Supreme Court.