HIPAA Horror Stories

Moving Violation

one-minute read

An ambulance service breaches patient privacy and gets nabbed for much more

It seems even healthcare providers on wheels can’t outrun the long arm of the law.

A Georgia ambulance service was nabbed by federal regulators after repeated violations of the Health Insurance Portability and Accountability Act (HIPAA).

The Office for Civil Rights (OCR), the federal government’s HIPAA enforcement authority, hit West Georgia Ambulance Inc., with a hefty monetary penalty for multiple HIPAA failures. The OCR launched its investigation of the Carroll, Georgia, ambulance service after the company reported a security breach. Carroll, Georgia, is a small county of 110,000, west of Atlanta.

Ambulance service loses unencrypted laptop

The problems started in 2013, when West Georgia reported a lost laptop containing the electronic protected health information (ePHI) of 500 patients. What’s more, the laptop was unencrypted, which means the data was visible to anyone in possession of the computer.

It is a violation of  the HIPAA Security Rule to share private patient data with unauthorized parties.

Frequent HIPAA Horror Stories readers will know exactly what happened next: the OCR, during its investigation, found multiple violations over a period of years.

A single violation leads to many for ambulance service

It’s just about 100-percent predictable that, when the OCR begins an investigation, it always finds many more violations than the initial reported breach. In the case of West Georgia Ambulance, the company itself reported the laptop breach, as required by the Breach Notification Rule.

Federal investigators found numerous HIPAA violations including failures to conduct a Risk Analysis, provide a security awareness and training program, and implement HIPAA Security Rule policies and procedures.

Despite the OCR’s investigation and technical assistance, West Georgia did not take meaningful steps to address the systemic failures.

Ambulance service gets monetary penalty and monitoring

On December 30, 2019, the OCR announced a settlement agreement with West Georgia. The company agreed to pay the OCR $65,000 and submit to a Corrective Action Plan that requires federal monitoring of West Georgia for two years.

Details of the corrective action plan are available online at the Health and Human Services Website.

If you operate an ambulance service and worry about HIPAA compliance, we’ve got your back. Call us.

The HIPAA E-Tool® makes compliance fast and easy. Get your free HIPAA Quick Start kit, complete with a webcam privacy guard, HIPAA Hot Zone labels and a HIPAA checklist delivered directly to your office.

Don’t become a HIPAA Horror Story! HIPAA compliance is easy, when you know the rules.

Request A Demo

Copyright © 2020 The ET&C Group LLC.
The HIPAA E-Tool® is a registered trademark of The ET&C Group LLC

3534 Washington Avenue, Saint Louis, MO 63103
Terms of Service | Privacy Policy

Powered by JEMSU

Free hipaa kit!

hipaa compliance Quick start kit
Delivered free