CardioNet, a cardiology vendor of ambulatory cardiac monitoring products, has paid a fine of $2.5 million and will execute a two-year corrective action plan under a settlement agreement with the Office for Civil Rights of the Department of Health and Human Services, which implements the HIPAA privacy and security rules.
The sanction follows the 2012 theft of a laptop from a worker’s car that compromised the security of electronic protected health information for 1,391 people.
OCR’s inquiry, in accordance to the agency, discovered that Cardiology vendor had poor risk analysis and risk management procedures in place at the time of the theft; policies and procedures to comply with the security rule still were in draft form and hadn’t been implemented, the enforcement agency asserts.
In its inquiry, OCR further learned that CardioNet, now a part of BioTelemetry, had no final policies or procedures to execute safeguards for protected information, involving those for mobile devices.
“CardioNet failed to enforce the specifications needed to develop a security management process to stop, detect, contain and correct security violations,” OCR pointed out in the resolution agreement.
The company, OCR added, didn’t have procedures governing receipt and removal of media containing electronic protected health information, encryption and movement of these items within its facilities until the year of March 2015. That means CardioNet didn’t take action until it was in trouble, a situation that is usually happening when OCR investigates breaches.
Representatives of CardioNet or BioTelemetry didn’t respond to a request for extra information. The corrective action plan is available here.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment