The Office for Civil Rights of the Department of Health and Human Services has saved an announcement of HIPAA penalties for literally the day before the end of 2019. On December 30, through a press release, OCR announced it has entered into a resolution agreement with West Georgia Ambulance, Inc. on December 23. The agreement requires West Georgia to pay a fine in the amount of $65,000.
What HIPAA Penalties Were Assessed Against West Georgia Ambulance, Inc.?
West Georgia Ambulance, Inc., provides both emergency and non-emergency ambulance services in Carroll County, Georgia. The company’s failure to look in its proverbial HIPAA mirrors began in 2013. In that year, West Georgia filed a data breach report with the Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR).
The breach described the details of a loss of an unencrypted laptop containing the protected health information (PHI) of 500 individuals. On February 11, 2013, West Georgia submitted a breach report to OCR, reporting that on December 13, 2012, the laptop fell off the back bumper of an ambulance. The laptop was not recovered.
OCR, upon receiving the report, conducted an investigation. The investigation uncovered longstanding noncompliance with HIPAA rules, dating back to at least 2012. The length during which the noncompliance continued played a role in assessment of the HIPAA penalties West Georgia agreed to pay. The investigation revealed West Georgia was noncompliant by:
- Failing to conduct a required security risk analysis;
- Failing to provide a security awareness and training program;
- Failing to implement required HIPAA Security Rules and Procedures.
When a covered entity such as West Georgia is found to be noncompliant, OCR may choose to offer technical assistance as an initial remediation measure. OCR offered such technical assistance to West Georgia. However, West Georgia failed to take meaningful steps to its widespread noncompliance with the HIPAA Rules.
This HIPAA Boo-Year settlement requires West Georgia to implement a corrective action plan as well, which plan is to be monitored by OCR. The plan will be monitored by OCR for two years.
In announcing the settlement, OCR Director Roger Severino noted that, “the last thing patients who are being wheeled into an ambulance should have to worry about is the privacy and security of their medical information.”
Several lessons stand out here. The first is that OCR is indifferent, when assessing penalties, to the time of the year – and even to the date of the year. The second is that investigations that reveal HIPAA compliance issues that began years ago – in this case at least seven years ago – can result in fines for that earlier noncompliance. As a famous writer, William Faulkner, once said, “The past is never dead. It’s not even past.”
To read more about the West Georgia Ambulance HIPAA settlement click here.
