In Carroll County, Georgia, there was a vehicle accident of an unusual kind recently. It resulted in the Department of Health & Human Services’ Office for Civil Rights (OCR) slapping a $65,000 fine on West Georgia Ambulance when they were found to have multiple violations of HIPAA rules.
It started in February of 2013 when an unencrypted laptop fell off of the rear bumper of an ambulance and was never successfully recovered. That laptop contained protected health information for 500 patients. The notification of the incident led to further investigating, which uncovered a long history of HIPAA noncompliance from the organization on several levels.
OCR became aware of the absence of a comprehensive, and organization-wide risk analysis ever being done, an employee training program for security awareness never being implemented, and additional HIPAA policies and procedures not being in place.
Once these failures were uncovered, the OCR offered West Georgia Ambulance technical assistance to address the non-compliance, but those offers never led to any successful implementation to remedy the issues. This lack of follow up resulted in a financial penalty being placed on their business.
By paying the financial penalty, West Georgia Ambulance is not absolved of being required to create and implement a corrective action plan. Every issue uncovered still needed to be addressed and remedied. This also puts them under a microscope with OCR, likely resulting in further scrutiny on any outstanding or future issues.
OCR’s concern is that patient privacy is something the patient should never have to worry about – they should only be worried about their health. What West Georgia Ambulance was doing was not putting patient care at the forefront of their business by adding to the concerns a patient might have. They may be a small entity in the overall big picture of healthcare institutions and businesses, but when it comes to healthcare, no business is small enough to go unnoticed or unaccountable for their HIPAA compliance program.
This article was originally published on HIPAA Secure Now! and is republished here with permission. HIPAA Secure Now offers annual online subscriptions to help covered entities and business associates keep up with compliance. Learn more here.
HIPAA Secure Now! now offers PHIshMD training for CEs and BAs to help protect your organization from security threats.
Technology safeguards put a virtual wall around your network, but what happens when the bad actors climb over that wall? It’s up to your employees. Over 90% of breaches get caused by human error according to Kaspersky Lab, and if you’re not educating users HOW to protect your organization in this ever-changing threat landscape, your organization could be next. LEARN MORE