Did you resolve to be HIPAA-compliant in 2020?
Maybe you did make a 2020 resolution to be HIPAA compliant. But not so West Georgia Ambuance, Inc., which kicked off 2020 by agreeing to pay $65,000 to the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS). In addition to the cash settlement, the ambulance company, which provides emergency and non-emergency ambulance services in Carroll County, Georgia, also agreed to adopt a corrective action plan to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Security Rule.
Could repercussions of its HIPPA violations been worse?
Yes, indeedy! Except that West Georgia self-reported a breach report first. The report did prompt the OCR investigation, following West Georgia’s 2013 breach report filing. The issue concerned the loss of an unencrypted laptop containing the protected health information (PHI) of 500 individuals.
That, in itself, was problematic. However, the OCR’s investigation further uncovered West Georgia’s long-standing noncompliance with the HIPAA Rules. This included the company’s failures to conduct a risk analysis, provide a security awareness and training program, and implement HIPAA Security Rule policies and procedures.
Adding insult to injury was West Georgia’s failure to take any meaningful steps to address their systemic failures despite OCR’s investigation and technical assistance.
“The last thing patients being wheeled into the back of an ambulance should have to worry about is the privacy and security of their medical information,” said OCR Director Roger Severino, who further warned that “all providers, large and small, need to take their HIPAA obligations seriously.”
Losing a laptop is one thing.
Losing an unsecured laptop is another. That is the issue that cost West Georgia.
Founded in 1977, West Georgia employs 65 individuals. In 2012, an unencrypted laptop fell off the back bumper of an ambulance. It was not recovered. The OCR determined that West Georgia did not have sufficient compliance procedure in place, nor did it conduct an accurate and thorough risk analysis of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of all of its ePHI -particularly of the information for 500 patients in the laptop.
According to the OCR, the company failed to have a HIPAA security training program and failed to provide security training to its employees. Hence, it must now pay $65,000 to HHS in restitution and, of course, take corrective action. Failure to comply will breach this smaller settlement and could result in more serious exposures.
Compliance matters – in training and data protection
Regardless of industry or, in some cases, geography (Healthcare/Financial Services/Insurance – in the US or Canada), no one is immune from oversight and regulatory compliance.
Errors happen. Intentional omissions happen. Laptops fall off the backs of ambulances.
However, in this case, a protocol to secure patient data was missing. For want of a nail…
A vigilant, well-run compliance system can spot irregularities and give an attentive compliance team a chance to nip exposures before they get out of hand. Patrina can help. We’ve built our business based on helping organizations keep track of “bad apples,” and stay on the “straight and narrow” efficiently and cost-effectively. So, let’s talk. Call 212-233-1155 to ask about Patrina’s cost-effective, designated third-party services, our comprehensive 8-module compliance solution, and compliant data capture &, file storage, and records archiving specifically designed for the healthcare, insurance, and financial services community. Be smart. Be covered. Let’s talk.