Trending Topics

6 questions to evaluate your HIPAA risks

The Office for Civil Rights has ambulance services on its radar

GettyImages-532126656.jpg

In 2013, an EMS provider left an unencrypted device on a bumper and as a result, OCR put them under a microscope and hit them with a hefty fine and many compliance and reporting obligations.

Photo/Getty Images

ryanstark_021820_oc.jpg

Ryan S. Stark, Esq., is a partner with Page, Wolfberg & Wirth, LLC

By Ryan S. Stark, Esq.

We knew this was coming. On Dec. 30,2019, the Office for Civil Rights (OCR) announced that a small Georgia ambulance service agreed to pay $65,000 and to adopt a demanding corrective action plan (CAP) to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA).

This marks the first time an ambulance service has paid a penalty to OCR for a potential HIPAA violation.

What happened

Way back in 2013, the ambulance service submitted a breach report to OCR describing an unencrypted laptop falling off the back bumper of an ambulance. The ambulance service said that 500 individuals were affected by the breach.

OCR investigated and uncovered what it described as “long-standing noncompliance with the HIPAA Rules, including failures to conduct a risk analysis, provide a security awareness and training program, and implement HIPAA Security Rule policies and procedures.”

Bottom line, an EMS provider left an unencrypted device on a bumper and as a result, OCR put them under a microscope and hit them with a hefty fine and many compliance and reporting obligations.

6 questions you must ask today based on the EMS HIPAA settlement

Ask these six questions to evaluate your EMS agency’s data security:

  1. Have we done a HIPAA risk analysis recently and is it documented?
  2. Does our HIPAA training incorporate the specific HIPAA security awareness training that OCR requires?
  3. Do we have all of the HIPAA Privacy, Breach and Security policies and procedures that are required?
  4. Have we identified all of our business associates and do we have current business associate agreements with them?
  5. Is our Notice of Privacy Practices up to date?
  6. Do we properly encrypt all of our devices?

If the answer to any of these questions is “no” or “we don’t know,” now is your opportunity to address it before something happens. Page, Wolfberg & Wirth is the nationwide expert on HIPAA and EMS. If you have questions, call us at 1-877-EMS-Law1 or email us.

For over 20 years, PWW has been the nation’s leading EMS industry law firm. PWW attorneys and consultants have decades of hands-on experience providing EMS, managing ambulance services and advising public, private and non-profit clients across the U.S.

PWW helps EMS agencies with reimbursement, compliance, HR, privacy and business issues, and provides training on documentation, liability, leadership, reimbursement and more. Visit the firm’s website at www.pwwemslaw.com.