The Department of Health and Human Services Office for Civil Rights (OCR) reached a settlement with West Georgia Ambulance, Inc. where the latter will pay $65,000 to resolve multiple Health Insurance Portability and Accountability Act Rules violations.
OCR started investigating the ambulance company in Carroll County, GA after receiving breach notification on February 11, 2013 regarding the loss of an unencrypted laptop computer that contains the protected health information (PHI) of 500 patients. The breach report indicated that the company failed to recover the laptop computer, which dropped from the rear end bumper of the ambulance.
The investigation discovered the company’s longstanding noncompliance with several HIPAA Rules. OCR found the following violations of West Georgia Ambulance:
- did not perform a comprehensive, company-wide risk analysis (45 C.F.R. § 164.308(a)(1)(ii)(A))
- did not provide its employees with a security awareness training program (45 C.F.R. § 164.308(a)(5))
- did not enforce HIPAA Security Rule policies and procedures (45 C.F.R. § 164.316)
OCR gave technical support to West Georgia Ambulance to enable the company to deal with its compliance setbacks, but in spite of that support, OCR reported that the company took no meaningful steps to correct the areas of noncompliance. Therefore, a financial penalty was issued.
Besides having to pay the $65,000 financial penalty, West Georgia Ambulance needs to undertake a corrective action plan to deal with all areas of noncompliance identified by OCR. For two years, OCR will be inspecting West Georgia Ambulance’s HIPAA compliance program to make sure it follows the HIPAA Rules.
Patients being transported in the back of an ambulance shouldn’t worry about their medical data privacy and security. All providers, both big and small, should seriously consider their HIPAA obligations.
This is the number 10 OCR HIPAA financial penalty issued in 2019. OCR received a total of $12,274,000 in financial penalties in 2019 for the settlement of noncompliance problems.