Ambulance Company Settles HIPAA Violation Case with OCR for $65,000
The Department of Health and Human Services’ Office for Civil Rights (OCR) has announced a $65,000 settlement has been reached with West Georgia Ambulance, Inc., to resolve multiple violations of Health Insurance Portability and Accountability Act Rules.
OCR launched an investigation into the Carroll County, GA ambulance company after being notified on February 11, 2013 about the loss of an unencrypted laptop computer containing the protected health information of 500 patients. According the breach report, the laptop computer fell from the rear bumper of the ambulance and was not recovered.
The investigation uncovered longstanding noncompliance with several aspects of the HIPAA Rules. OCR discovered West Georgia Ambulance had not conducted a comprehensive, organization-wide risk analysis (45 C.F.R. § 164.308(a)(1)(ii)(A)), had not implemented a security awareness training program for its employees (45 C.F.R. § 164.308(a)(5)), and had failed to implement HIPAA Security Rule policies and procedures (45 C.F.R. § 164.316.).
OCR provided technical assistance to West Georgia Ambulance to help the firm address its compliance failures, but despite that assistance, OCR said no meaningful steps were taken to address the areas of noncompliance. A financial penalty was therefore warranted.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Corrective Action Plan Focuses on Workforce Training
In addition to paying the $65,000 financial penalty, West Georgia Ambulance is required to adopt a corrective action plan to address all areas of noncompliance discovered by OCR during the investigation. The corrective action plan has a strict timeframe for when each stage must be completed:
- A “scope and methodology” plan for a HIPAA compliant risk assessment must be submitted to OCR within 30 days.
- If the plan is approved by OCR, the HIPAA compliant risk assessment must be submitted to OCR within 120 days.
- If the assessment is approved, West Georgia Ambulance Inc. has 60 days to submit a risk management plan.
- Once the plan is approved, the organization has 60 days to provide refreshed training to all members of the workforce.
Because of the number of policy and procedure changes required, it is likely that most of the workforce will be required to undergo “material change” Privacy Rule training. All members of the workforce will be required to under refresher Security Rule training – which must be repeated periodically during the duration of the corrective action plan. In addition, all new members of the workforce must undergo full HIPAA compliance training within 14 days of joining the workforce and in all cases before being provided access to PHI.
West Georgia Ambulance must also review the training materials at least annually and, where appropriate, update the training to reflect changes in federal laws, OCR guidance, or issues discovered during any audits, reviews, or compliance monitoring activities. OCR will be scrutinizing West Georgia Ambulance’s HIPAA compliance program for two years to ensure HIPAA Rules are being followed.
“The last thing patients being wheeled into the back of an ambulance should have to worry about is the privacy and security of their medical information,” said OCR Director Roger Severino. “All providers, large and small, need to take their HIPAA obligations seriously.”
This is the 10th OCR HIPAA financial penalty of 2019. In total, $12,274,000 has been paid to OCR in 2019 to resolve noncompliance issues.
