"The last thing patients being wheeled into the back of an ambulance should have to worry about is the privacy and security of their medical information."
-OCR Director Roger Severino
First Ever HIPAA Settlement for the Industry
We knew this was coming. On December 30,2019, the Office for Civil Rights (OCR) announced that a small Georgia ambulance service agreed to pay $65,000 and to adopt a demanding corrective action plan (CAP) to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA). This marks the first time an ambulance service has paid a penalty to OCR for a potential HIPAA violation.
Way back in 2013, the ambulance service submitted a breach report to OCR describing an unencrypted laptop falling off the back bumper of an ambulance. The ambulance service said that 500 individuals were affected by the breach. OCR investigated and uncovered what it described as “long-standing noncompliance with the HIPAA Rules, including failures to conduct a risk analysis, provide a security awareness and training program, and implement HIPAA Security Rule policies and procedures.” Bottom line, an EMS provider left an unencrypted device on a bumper and as a result, OCR put them under a microscope and hit them with a hefty fine and many compliance and reporting obligations.
What Does This Mean?
Your ambulance agency – large or small - is on OCR’s radar. No longer can we say “they always go after hospitals or doctors.” Your “HIPAA House” needs to be in order.
Six Questions You Must Ask Today Based on This Settlement
- Have we done a HIPAA Risk Analysis recently and is it documented?
- Does our HIPAA training incorporate the specific HIPAA Security Awareness Training that OCR requires?
- Do we have all of the HIPAA Privacy, Breach and Security policies and procedures that are required?
- Have we identified all of our business associates and do we have current business associate agreements with them?
- Is our Notice of Privacy Practices up to date?
- Do we properly encrypt all of our devices?
If the answer to any of these questions is "no" or "we don't know", now is your opportunity to address it before something happens.
If you need help, PWW offers a full range of HIPAA Compliance Services to meet your needs, budget and schedule. If you have questions, call us at 1-877-367-5291 or email us at firstname.lastname@example.org.