The CardioNet settlement is the first HIPAA settlement involving a wireless health services provider. The settlement arose from a breach investigation involving the theft of a CardioNet employee\u2019s laptop from a car.\u00a0 That laptop contained the electronic protected health information (\u201cePHI\u201d) of almost 1,400 individuals.\u00a0 As is typical in these HIPAA settlements, the stolen laptop was just the beginning of CardioNet\u2019s woes.\u00a0 OCR\u2019s investigation of the breach indicated that CardioNet has not finalized its HIPAA security policies and procedures and had not conducted a sufficient risk analysis and risk management process.<\/p>\n
Though the underlying facts of the CardioNet breach aren\u2019t new (see the very similar facts of a 2014 settlement<\/a> involving QCA Health Plan, Inc.), the settlement does indicate OCR\u2019s interest in the HIPAA compliance of mobile health technology companies.\u00a0 Though these companies do not interact face-to-face with patients, if they meet the definition of a covered entity under HIPAA, they have the same compliance obligations as a hospital, physician, or health plan.\u00a0 Additionally, certain health technology companies may be business associates of covered entities.\u00a0 OCR previously published guidance<\/a> on use scenarios under which a technology company would be a business associate, and therefore be subject to HIPAA compliance obligations<\/p>\n","protected":false},"excerpt":{"rendered":" The CardioNet settlement is the first HIPAA settlement involving a wireless health services […]<\/p>\n","protected":false},"author":3,"featured_media":13140,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[39],"tags":[53,52],"yoast_head":"\n