The thread of compliance issues that can be found once a regulator starts pulling can be long and expensive, as one healthcare organization recently found out.
West Georgia Ambulance has agreed to pay a $65,000 fine to the Department of Health & Human Services Office of Civil Rights to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA). The ambulance company reported the loss of an unencrypted laptop computer that contained the protected health information of 500 individuals to the HHS in 2013. The laptop fell off the back bumper of an ambulance. So OCR went in to investigate the loss of the laptop, and it found some much larger issues.
The investigation uncovered “long-standing noncompliance with the HIPAA Rules, including failures to conduct a risk analysis, provide a security awareness and training program, and implement HIPAA Security Rule policies and procedures,” according to a release announcing the settlement.
“The last thing patients being wheeled into the back of an ambulance should have to worry about is the privacy and security of their medical information,” said OCR Director Roger Severino, in a statement. “All providers, large and small, need to take their HIPAA obligations seriously.”
Along with the fine of $65,000, the ambulance company has also agreed to implement a corrective action plan that will require an enterprise-wide analysis of security risks and vulnerabilities, develop a training program, and adopt written policies and procedures. The corrective action plan is incredibly comprehensive in this case and is sure to cost the organization a significant sum of money to develop.