Fender Bender
In Carroll County, Georgia, there was a vehicle accident of an unusual kind recently. It resulted in the Department of Health & Human Services’ Office for Civil Rights (OCR) slapping a $65,000 fine on West Georgia Ambulance when they were found to have multiple violations of HIPAA rules.
It started in February of 2013 when an unencrypted laptop fell off of the rear bumper of an ambulance and was never successfully recovered. That laptop contained protected health information for 500 patients. The notification of the incident led to further investigating, which uncovered a long history of HIPAA noncompliance from the organization on several levels.
The Wreckage
OCR became aware of the absence of a comprehensive, and organization-wide risk analysis ever being done, an employee training program for security awareness never being implemented, and additional HIPAA policies and procedures not being in place.
Once these failures were uncovered, the OCR offered West Georgia Ambulance technical assistance to address the non-compliance, but those offers never led to any successful implementation to remedy the issues. This lack of follow up resulted in a financial penalty being placed on their business.
By paying the financial penalty, West Georgia Ambulance is not absolved of being required to create and implement a corrective action plan. Every issue uncovered still needed to be addressed and remedied. This also puts them under a microscope with OCR, likely resulting in further scrutiny on any outstanding or future issues.
OCR’s concern is that patient privacy is something the patient should never have to worry about – they should only be worried about their health. What West Georgia Ambulance was doing was not putting patient care at the forefront of their business by adding to the concerns a patient might have. They may be a small entity in the overall big picture of healthcare institutions and businesses, but when it comes to healthcare, no business is small enough to go unnoticed or unaccountable for their HIPAA compliance program.
Leave a Reply