Are you surprised to see a settlement with HHS arising from an investigation that began when an entity reported a stolen laptop in 2013? Keep reading this notice from HHS to find an explanation:
West Georgia Ambulance, Inc. (West Georgia), has agreed to pay $65,000 to the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) and to adopt a corrective action plan to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Security Rule. West Georgia is an ambulance company that provides emergency and non-emergency ambulance services in Carroll County, Georgia.
OCR began its investigation after West Georgia filed a breach report in 2013 concerning the loss of an unencrypted laptop containing the protected health information (PHI) of 500 individuals. OCR’s investigation uncovered long-standing noncompliance with the HIPAA Rules, including failures to conduct a risk analysis, provide a security awareness and training program, and implement HIPAA Security Rule policies and procedures. Despite OCR’s investigation and technical assistance, West Georgia did not take meaningful steps to address their systemic failures.
“The last thing patients being wheeled into the back of an ambulance should have to worry about is the privacy and security of their medical information,” said OCR Director Roger Severino. “All providers, large and small, need to take their HIPAA obligations seriously.”
In addition to the monetary settlement, West Georgia will undertake a corrective action plan that includes two years of monitoring. The resolution agreement and corrective action plan may be found at https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/westgeorgia/index.html.
Source: HHS