HHS Resolution Agreement: West Georgia Ambulance, Inc. (Dec. 23, 2019); HHS News Release (Dec. 30, 2019)
HHS’s Office for Civil Rights (OCR) has announced a $65,000 settlement with an ambulance company (a HIPAA covered entity) to resolve alleged violations of HIPAA’s security rule. OCR’s investigation began after the covered entity filed a breach notification to report that an unencrypted laptop computer fell off the back bumper of an ambulance. The computer was not recovered, and the covered entity reported that the breach compromised protected health information (PHI) of 500 individuals. OCR’s investigation uncovered long-standing noncompliance with HIPAA’s security rule, including failures to conduct a risk analysis, implement security policies and procedures, and provide a security awareness and training program. According to OCR’s press release, the covered entity did not take meaningful steps to address systemic failures despite receiving technical assistance from OCR.
In addition to the settlement payment, the covered entity agreed to a two-year corrective action plan (CAP). Among other requirements, the covered entity must conduct an accurate and thorough enterprise-wide risk analysis that includes a complete inventory of all electronic equipment, data systems, offsite data storage facilities, and applications that contain or store PHI. The scope and methodology of the risk analysis are subject to OCR approval, and the covered entity must submit its risk analysis to OCR for review and recommended changes. Following OCR’s approval of the risk analysis, the covered entity must develop a risk management plan, also subject to OCR’s review and recommended changes. The risk analysis and risk management plan must be updated annually and submitted to OCR for the duration of the CAP. In addition, the covered entity must develop comprehensive privacy, security, and breach notification policies and procedures and submit them to OCR for approval. Following approval, the policies and procedures must be distributed to all workforce members and incorporated into training materials. The covered entity must also provide OCR with a list of business associates and copies of business associate contracts. HIPAA-compliant encryption software must be installed on all of the covered entity’s computers. And the covered entity must submit detailed reports to certify compliance with the CAP.
EBIA Comment: This settlement is noteworthy for the comprehensive CAP, which calls for OCR to monitor the covered entity’s HIPAA compliance for the next two years. The covered entity likely could have avoided this level of scrutiny—as well as the $65,000 payment—if it had been more receptive to the technical assistance previously offered by OCR. Covered entities and business associates should take all OCR inquiries and offers of assistance seriously and seek advice from knowledgeable sources. For more information, see EBIA’s HIPAA Portability, Privacy & Security manual at Sections XX.D (“Resolution Agreements”) and XXX (“Core Security Requirements”). You may also be interested in our webinar “Nuts and Bolts of HIPAA Uses and Disclosures” (recorded on 7/25/19).
Contributing Editors: EBIA Staff.