HIPAA Compliance Failures Result in $65,000 Fine for Georgia Ambulance Company
West Georgia Ambulance, Inc., an ambulance company serving Carroll County in Georgia, has agreed to settle a HIPAA violation case with the Department of Health and Human Services’ Office for Civil Rights (OCR). The settlement agreement requires West Georgia Ambulance to pay a financial penalty of $65,000 and adopt a robust corrective action plan to address all compliance failures identified by OCR during the investigation of a 2013 data breach.
OCR investigated West Georgia Ambulance after being notified about a lost laptop computer containing the protected health information of 500 patients. The laptop computer was not encrypted so PHI could potentially have been accessed by unauthorized individuals. The laptop computer had been placed on the rear bumper of an ambulance. Attempts were made to find the laptop, but it was not recovered.
During the investigation, OCR discovered multiple violations of HIPAA Rules. West Georgia Ambulance had not conducted a HIPAA-compliant risk analysis, had not implemented policies and procedures required by the HIPAA Security Rule, and had not established a security awareness training program for the workforce.
OCR provided technical guidance to help West Georgia Ambulance comply with all aspects of HIPAA, but insufficient steps were taken to address the compliance failures in a reasonable time frame. That left OCR with no alternative but to impose a financial penalty and corrective action plan on the ambulance company.
All Workforce Members to Undergo Retraining
As part of the corrective action plan, all members of the organization’s workforce will be required to undergo retraining on revised HIPAA-related policies and procedures. The HIPAA training must be provided within sixty days from the approval of the revised policies and procedures and – at a minimum – annually thereafter. As part of the HIPAA training requirements, West Georgia Ambulance must review the training materials annually and revise where necessary “to reflect changes in federal law or HHS guidance, any issues discovered during audits or reviews, and any other relevant developments.”
OCR will also be monitoring West Georgia Ambulance for two years to ensure the company continues to comply with HIPAA Rules.
“The last thing patients being wheeled into the back of an ambulance should have to worry about is the privacy and security of their medical information. All providers, large and small, need to take their HIPAA obligations seriously,” said OCR Director Roger Severino.
This is the second financial penalty for HIPAA violations to be announced in December. OCR has imposed financial penalties on 10 entities in 2019 to resolve violations of HIPAA Rules. More than $12 million in fines have been issued in 2019.
