Malvern-based, CardioNet, Inc., a company that provides remote mobile cardiac monitoring and rapid response, has been hit with a $2.5 million dollar fine and placed on a two-year Corrective Action Plan (CAP) by the Office for Civil Rights (OCR). On the surface, this fine may seem excessive, given that the breach in question occurred in 2012, involved a single stolen laptop, and affected only about 3,600 records. However, the breach itself was only the tip of the iceberg. A closer look at the situation reveals that what happened with CardioNet is a classic example of “willful neglect”.
Willful Neglect is a term often heard in the HIPAA world. It is defined in section 45 CFR 160.401 of the HIPAA Omnibus (Final) Rule as the “conscious, intentional failure or reckless indifference to the obligation to comply with the administrative simplification provision violated.” It is this provision of the Rule that gives the OCR latitude in determining the fines levied against organizations that should have known better.
As with any breach the OCR investigates, it’s not just the specific breach incident that’s reviewed. The organization’s overall HIPAA compliance is fully examined. With CardioNet, OCR found major systematic failures and patterns of non-compliance throughout the organization dating back years. These issues included an insufficient risk analysis, policies and procedures that were still in draft form and never implemented, and no policies or procedures at all regarding the management of ePHI on mobile devices.
This settlement is the first of its kind involving a wireless health provider. But it is surely not the last. And, the magnitude of the fine levied against CardioNet indicates that the OCR has no tolerance for willful neglect violators.