On December 30, 2019, the U.S. Department of Health and Human Services, Office for Civil Rights (“HHS”) announced a $65,000 settlement with West Georgia Ambulance, Inc. for violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security and Breach Notification Rules.
According to HHS, in 2013 the ambulance company reported a breach where an unencrypted laptop fell off the back bumper of an ambulance. The company did not recover the laptop and reported that 500 individuals were affected by the breach.
An investigation showed that the company did not conduct an accurate and thorough risk analysis, did not have a HIPAA security training program, did not provide security training to its employees and failed to implement Security Rule policies or procedures.
In additional to the monetary settlement, the ambulance company agreed to enter into a Corrective Action Plan requiring a very detailed and thorough review and analysis of all of the security risks and vulnerabilities in the company, submit detailed reports, provide training and routine retraining, adopt and implement appropriate written policies and procedures and other corrective actions.
You can read the HHS Press Release and Resolution Agreement here: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/westgeorgia/index.html
If you would like guidance on how it can prevent HIPAA violations from occurring, or how to handle a HIPAA violation, please contact our firm.