The CardioNet settlement is the first HIPAA settlement involving a wireless health services provider. The settlement arose from a breach investigation involving the theft of a CardioNet employee’s laptop from a car.  That laptop contained the electronic protected health information (“ePHI”) of almost 1,400 individuals.  As is typical in these HIPAA settlements, the stolen laptop was just the beginning of CardioNet’s woes.  OCR’s investigation of the breach indicated that CardioNet has not finalized its HIPAA security policies and procedures and had not conducted a sufficient risk analysis and risk management process.

Though the underlying facts of the CardioNet breach aren’t new (see the very similar facts of a 2014 settlement involving QCA Health Plan, Inc.), the settlement does indicate OCR’s interest in the HIPAA compliance of mobile health technology companies.  Though these companies do not interact face-to-face with patients, if they meet the definition of a covered entity under HIPAA, they have the same compliance obligations as a hospital, physician, or health plan.  Additionally, certain health technology companies may be business associates of covered entities.  OCR previously published guidance on use scenarios under which a technology company would be a business associate, and therefore be subject to HIPAA compliance obligations