HIPAA Compliance Failures Result in $65,000 Fine for Georgia Ambulance Company
West Georgia Ambulance, Inc., an ambulance company serving Carroll County in Georgia, has agreed to settle a HIPAA violation case with the Department of Health and Human Services’ Office for Civil Rights (OCR). The settlement agreement requires West Georgia Ambulance to pay a financial penalty of $65,000 and adopt a robust corrective action plan to address all compliance failures identified by OCR during the investigation of a 2013 data breach.
OCR investigated West Georgia Ambulance after being notified about a lost laptop computer containing the protected health information of 500 patients. The laptop computer was not encrypted so PHI could potentially have been accessed by unauthorized individuals. The laptop computer had been placed on the rear bumper of an ambulance. Attempts were made to find the laptop, but it was not recovered.
During the investigation, OCR discovered multiple violations of HIPAA Rules. West Georgia Ambulance had not conducted a HIPAA-compliant risk analysis, had not implemented policies and procedures required by the HIPAA Security Rule, and had not established a security awareness training program for the workforce.
OCR provided technical guidance to help West Georgia Ambulance comply with all aspects of HIPAA, but insufficient steps were taken to address the compliance failures in a reasonable time frame. That left OCR with no alternative but to impose a financial penalty and corrective action plan on the ambulance company. OCR will also be monitoring West Georgia Ambulance for two years to ensure the company continues to comply with HIPAA Rules.
“The last thing patients being wheeled into the back of an ambulance should have to worry about is the privacy and security of their medical information. All providers, large and small, need to take their HIPAA obligations seriously,” said OCR Director Roger Severino.
This is the second financial penalty for HIPAA violations to be announced in December. OCR has imposed financial penalties on 10 entities in 2019 to resolve violations of HIPAA Rules. More than $12 million in fines have been issued in 2019.