Ambulance Company Settles HIPAA Violation Case with OCR for $65,000

The Department of Health and Human Services’ Office for Civil Rights (OCR) has announced a $65,000 settlement has been reached with West Georgia Ambulance, Inc., to resolve multiple violations of Health Insurance Portability and Accountability Act Rules.

OCR launched an investigation into the Carroll County, GA ambulance company after being notified on February 11, 2013 about the loss of an unencrypted laptop computer containing the protected health information of 500 patients. According the breach report, the laptop computer fell from the rear bumper of the ambulance and was not recovered.

The investigation uncovered longstanding noncompliance with several aspects of the HIPAA Rules. OCR discovered West Georgia Ambulance had not conducted a comprehensive, organization-wide risk analysis (45 C.F.R. § 164.308(a)(1)(ii)(A)), had not implemented a security awareness training program for its employees (45 C.F.R. § 164.308(a)(5)), and had failed to implement HIPAA Security Rule policies and procedures (45 C.F.R. § 164.316.).

OCR provided technical assistance to West Georgia Ambulance to help the firm address its compliance failures, but despite that assistance, OCR said no meaningful steps were taken to address the areas of noncompliance. A financial penalty was therefore warranted.

In addition to paying the $65,000 financial penalty, West Georgia Ambulance is required to adopt a corrective action plan to address all areas of noncompliance discovered by OCR during the investigation. OCR will also be scrutinizing West Georgia Ambulance’s HIPAA compliance program for two years to ensure HIPAA Rules are being followed.

“The last thing patients being wheeled into the back of an ambulance should have to worry about is the privacy and security of their medical information,” said OCR Director Roger Severino. “All providers, large and small, need to take their HIPAA obligations seriously.”

This is the 10th OCR HIPAA financial penalty of 2019. In total, $12,274,000 has been paid to OCR in 2019 to resolve noncompliance issues.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.