HIPAA Settlements Underscore Need to Protect Data

Regulation | May 11, 2017 | by

Although the cases described below do not involve aging services organizations, they illustrate the need for all covered entities under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) to conduct a thorough privacy and security rule risk assessment and to implement safeguards to address those risks.

On April 24, 2017, the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) announced a HIPAA settlement based on the impermissible disclosure of unsecured electronic protected health information (ePHI). PA-based wireless health services provider, CardioNet, agreed to settle potential noncompliance with the HIPAA Privacy and Security Rules by paying $2.5 million and implementing a corrective action plan.


In January 2012, CardioNet reported to the OCR that a workforce member's laptop was stolen from a parked vehicle outside of the employee's home. The laptop contained the ePHI of 1,391 individuals. OCR's investigation into the impermissible disclosure revealed that CardioNet had an insufficient risk analysis and risk management processes in place at the time of the theft. Additionally, CardioNet's policies and procedures implementing the standards of the HIPAA Security Rule were in draft form and had not been implemented. Further, the organization was unable to produce any final policies or procedures regarding the implementation of safeguards for ePHI, including those for mobile devices.


HHS has gathered tips and information to help protect and secure health information when using mobile devices.

Another settlement shows the need to have signed Business Associate Agreements (BAAs) with all vendors that handle protected health information.  

The Center for Children's Digestive Health (CCDH) has paid the U.S. Department of Health and Human Services (HHS) $31,000 to settle potential violations of the HIPAA Privacy Rule and agreed to implement a corrective action plan. CCDH is a small, for-profit health care provider with a pediatric subspecialty practice that operates its practice in seven clinic locations in Illinois.

In August 2015, the HHS Office for Civil Rights (OCR) initiated a compliance review of CCDH following the initiation of an investigation of a business associate, FileFax, Inc., which stored records containing PHI for CCDH. While CCDH began disclosing PHI to Filefax in 2003, neither party could produce a signed BAA prior to Oct. 12, 2015. Additionally, neither party could produce a signed BAA prior to Oct. 2015.

OCR has made available additional information on BAAs.