Ambulance Company Slapped With HIPAA FineRegulator Says Case Involved 'Longstanding Compliance Issues'
Federal regulators have smacked a Georgia-based ambulance company with a $65,000 financial settlement and corrective action plan in a case involving "longstanding" HIPAA compliance issues.
In a statement issued Monday, the Department of Health and Human Services said it had reach a settlement with West Georgia Ambulance after an HHS Office for Civil Rights investigation into a breach reported in February 2013.
The Carrollton, Ga.-based company, which provides ambulance services in Carroll County, reported that the incident involved the loss of an unencrypted laptop containing the protected health information of 500 individuals.
OCR's says its investigation "uncovered longstanding noncompliance" with the HIPAA rules, including failures to conduct a risk analysis, provide a security awareness and training program and implement HIPAA Security Rule policies and procedures.
"Despite OCR's investigation and technical assistance, West Georgia did not take meaningful steps to address their systemic failures," OCR says.
"The last thing patients being wheeled into the back of an ambulance should have to worry about is the privacy and security of their medical information," says OCR Director Roger Severino. "All providers, large and small, need to take their HIPAA obligations seriously."
Corrective Action Plan
Under its resolution agreement with OCR, West Georgia Ambulance will undertake a corrective action plan that includes two years of monitoring by the agency.
The corrective action plan requires the ambulance company to:
- Conduct an enterprisewide analysis of security risks and vulnerabilities that incorporates all electronic equipment, data systems, programs and applications;
- Develop and implement an organizationwide risk management plan to address and mitigate any security risks and vulnerabilities identified;
- Adopt and implement written policies and procedures to comply with the HIPAA privacy, security and breach notification rules, including those related to business associates and business associate agreements, technical access controls and authentication;
- Distribute to its workforce its updated policies and procedures and provide related training;
- Install HIPAA-compliant encryption software on all computers.
West Georgia Ambulance did not immediately respond to Information Security Media Group's request for comment.
Investigations Take Time
It's not unusual for OCR to take several years to announce a HIPAA settlement, some observers say.
"OCR can take up to the full six-year, statute of limitations to resolve [potential violations], which most HIPAA covered entities and business associates don't realize," says privacy attorney Iliana Peters of the law firm Polsinelli.
"Even if an entity does not end up paying a settlement amount or a civil money penalty, the investment of resources over time in responding to OCR data requests and in ensuring updated compliance efforts can be significant," says Peters, a former senior enforcement leader at OCR. "Entities are well served by doing the best they can with regard to HIPAA compliance before an OCR investigation, or at the beginning of the investigation, such that any investigation can be resolved quickly."
Privacy attorney David Holtzman of security consulting firm CynergisTek offers a similar assessment.
"The HIPAA Enforcement Rule prioritizes efforts by OCR to resolve violations of the rule informally, through voluntary corrective action," he notes. "As we have seen over the years, formal enforcement actions taken by the agency are littered with references to attempts they have made to work with the covered entity or business associate to mitigate the effects when there has been a breach, take the necessary steps to adopt policies and procedures called out by the standards, and, when appropriate, apologize to consumers whose PHI was used or disclosed without their authorization."
"Recent breach report numbers from OCR indicate that entities are doing a much better job of encrypting devices ... but there is still more work to be done there."
—Iliana Peters, Polsinelli
Organizations need to be aware of "the damage than can be done to their reputations and bank account by choosing to bury their head in the sand when OCR offers the opportunity to fix a HIPAA compliance problem," Holtzman says.
Healthcare organizations need to remember that "encryption is key to risk avoidance by HIPAA covered entities and business associates, given that encryption to National Institute of Standards and Technology standards is a safe harbor under the HIPAA Breach Notification Rule," Peters notes.
Under the safe harbor, for example, if an encrypted device containing patient information is stolen, that's not a reportable breach.
"Recent breach report numbers from OCR indicate that entities are doing a much better job of encrypting devices, given the percentage of reports involving theft and loss of such devices has decreased significantly over time, but there is still more work to be done there," she says.
Holtzman notes that breaches reported to HHS caused by lost or stolen devices on which unencrypted ePHI is stored "are down by more than 50 percent since reporting began in 2010."
He offers two theories as to why: "First, many device manufacturers are encrypting data on storage media right out of the box. Second, more data being stored in the cloud means there is less risk of compromise when a smartphone or tablet is lost because there is a minimum of data left on the device."
Risk Analysis a Must
The necessity to conduct a thorough, timely enterprisewide risk analysis has been highlighted repeatedly by OCR at public events, in guidance materials and especially in its HIPAA enforcement cases over the last several years. So why do so many covered entities and business associates still fail to conduct a proper HIPAA security risk analysis?
"The problem is two-fold," Peters says. "First, many entities don't understand the requirements and rely on vendors that also don't understand the requirements. As a result, even despite efforts, they end up with a gap analysis or audit, instead of a risk analysis. Second, many entities that do understand the requirements do not want to invest the time and resources necessary to ensure that they understand all of the risks to all of the ePHI in their enterprises."
Many smaller organizations still fail to adequately safeguard sensitive data, Holtzman contends.
"There is no easy fix. Many small healthcare organizations face substantial barriers that prevent obtaining the funds to pay for information security assessments," he says. "They lack awareness of regulatory requirements and the availability of qualified service providers for small businesses.
"A good first step would be for government agencies, like the Federal Trade Commission and HHS, to make a combined effort to reach out to small treatment and service providers with resources and training."
Other Enforcement Actions
The settlement with West Georgia Ambulance, announced Monday but completed last year, was OCR's ninth HIPAA enforcement action in 2019. That includes seven settlements and two civil monetary penalty cases - containing a combined total of about $13 million in fines.
West Georgia Ambulance's settlement was OCR's third HIPAA enforcement action in December. Earlier last month, OCR announced a $2.2 million settlement with Norfolk, Va.-based Sentara Hospitals in a case involving improperly reporting a breach and lacking a business associate agreement.
OCR also announced in December an $85,000 settlement with Korunda Medical, a Naples, Florida-based company that provides comprehensive primary care and interventional pain management to approximately 2,000 patients annually.
That settlement was OCR's second HIPAA settlement case in 2019 involving the agency's ramped up focus on enforcing patients' right under HIPAA to access their health information.