An ambulance service breaches patient privacy and gets nabbed for much more
It seems even healthcare providers on wheels can’t outrun the long arm of the law.
A Georgia ambulance service was nabbed by federal regulators after repeated violations of the Health Insurance Portability and Accountability Act (HIPAA).
The Office for Civil Rights (OCR), the federal government’s HIPAA enforcement authority, hit West Georgia Ambulance Inc., with a hefty monetary penalty for multiple HIPAA failures. The OCR launched its investigation of the Carroll, Georgia, ambulance service after the company reported a security breach. Carroll, Georgia, is a small county of 110,000, west of Atlanta.
Ambulance service loses unencrypted laptop
The problems started in 2013, when West Georgia reported a lost laptop containing the electronic protected health information (ePHI) of 500 patients. What’s more, the laptop was unencrypted, which means the data was visible to anyone in possession of the computer.
It is a violation of the HIPAA Security Rule to share private patient data with unauthorized parties.
Frequent HIPAA Horror Stories readers will know exactly what happened next: the OCR, during its investigation, found multiple violations over a period of years.
A single violation leads to many for ambulance service
It’s just about 100-percent predictable that, when the OCR begins an investigation, it always finds many more violations than the initial reported breach. In the case of West Georgia Ambulance, the company itself reported the laptop breach, as required by the Breach Notification Rule.
Federal investigators found numerous HIPAA violations including failures to conduct a Risk Analysis, provide a security awareness and training program, and implement HIPAA Security Rule policies and procedures.
Despite the OCR’s investigation and technical assistance, West Georgia did not take meaningful steps to address the systemic failures.
Ambulance service gets monetary penalty and monitoring
On December 30, 2019, the OCR announced a settlement agreement with West Georgia. The company agreed to pay the OCR $65,000 and submit to a Corrective Action Plan that requires federal monitoring of West Georgia for two years.
Details of the corrective action plan are available online at the Health and Human Services Website.
If you operate an ambulance service and worry about HIPAA compliance, we’ve got your back. Call us.