By Ryan S. Stark, Esq.
We knew this was coming. On Dec. 30,2019, the Office for Civil Rights (OCR) announced that a small Georgia ambulance service agreed to pay $65,000 and to adopt a demanding corrective action plan (CAP) to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA).
This marks the first time an ambulance service has paid a penalty to OCR for a potential HIPAA violation.
What happened
Way back in 2013, the ambulance service submitted a breach report to OCR describing an unencrypted laptop falling off the back bumper of an ambulance. The ambulance service said that 500 individuals were affected by the breach.
OCR investigated and uncovered what it described as “long-standing noncompliance with the HIPAA Rules, including failures to conduct a risk analysis, provide a security awareness and training program, and implement HIPAA Security Rule policies and procedures.”
Bottom line, an EMS provider left an unencrypted device on a bumper and as a result, OCR put them under a microscope and hit them with a hefty fine and many compliance and reporting obligations.
6 questions you must ask today based on the EMS HIPAA settlement
Ask these six questions to evaluate your EMS agency’s data security:
- Have we done a HIPAA risk analysis recently and is it documented?
- Does our HIPAA training incorporate the specific HIPAA security awareness training that OCR requires?
- Do we have all of the HIPAA Privacy, Breach and Security policies and procedures that are required?
- Have we identified all of our business associates and do we have current business associate agreements with them?
- Is our Notice of Privacy Practices up to date?
- Do we properly encrypt all of our devices?
If the answer to any of these questions is “no” or “we don’t know,” now is your opportunity to address it before something happens. Page, Wolfberg & Wirth is the nationwide expert on HIPAA and EMS. If you have questions, call us at 1-877-EMS-Law1 or email us.
