Despite our best efforts, things sometime can go wrong when ambulance personnel respond to an emergency. However, losing a computer, and ending up with a bill for $65,000 from the Office for Civil Rights at the U.S. Department of Health and Human Services is probably not something that we’d anticipate in the “worst possible outcome” category. However, the West Georgia Ambulance, Inc., a small ambulance service provider from Carroll County, Georgia, has found itself in just that position. How did that happen?
Well, it started when a laptop fell off the back bumper of one of West Georgia, Inc.’s ambulances. The ambulance company notified the U.S. Department of Health and Human Services of the loss of the computer. Unfortunately, that laptop contained the protected health information of approximately five hundred patients. Sadly, the patient information was unencrypted.
That would be bad enough. However, when the Department of Health and Human Services investigated further, the Department determined that West Georgia Ambulance had failed, over time, to comply with various requirements of the Health Insurance Portability and Accountability Act (HIPAA). The Department determined that the noncompliance included a failure to conduct a risk analysis, the lack of a security awareness and training program, and a failure to implement HIPAA Security Rule policies and procedures. After the investigation, the Department of Health and Human Services offered West Georgia technical assistance. Despite this offer, however, West Georgia failed to take appropriate steps to address these failures.
The result: West Georgia agreed to pay $65,000 to the Office for Civil Rights at the U.S. Department of Health and Human Services and to adopt a corrective action plan that includes two years of monitoring.
This result should be a warning to all EMS providers. In commenting on this situation, Office for Civil Rights Director Roger Severino said: “All providers, large and small, need to take their HIPAA obligations seriously.”
So, if this is a warning to all EMS providers, what is the “warning” telling us? What do EMS providers need to do to “take their HIPAA obligations seriously”?
1. Make sure that your devices are encrypted. Every device should be encrypted if you are going to store health information on it. You certainly don’t want to lose a laptop – that’s bad news under any circumstances. However, if you lose a device, and the information is encrypted, then (generally) you can presume that there has not been a HIPAA breach, since no one can read encrypted data. If you can’t do this in-house, get professional help from some trusted resource outside your agency who can.
2. For any mobile devices that you use, make certain that these devices are equipped with remote locking and disabling capabilities, so that, if a device does fall into the wrong hands, the information on the device can be protected, even if your agency is no longer in physical possession of the device.
3. Have a policy in place that requires any possible breaches of protected privacy information to be reported immediately. The remote locking and disabling capabilities won’t do any good if command doesn’t know there’s a need to employ these resources.
4. Review your current policies to insure that you have all of the required policies in place. Perform the “risk analysis” that HIPAA requires, and take any corrective action that is suggested by that “risk analysis”.
5. Train your personnel about all applicable provisions of Health Insurance Portability and Accountability Act (HIPAA). This training needs to include instruction on things like security policies and possible breaches of those policies.
For more information about the West Georgia Ambulance, Inc., agreement and the corrective action plan that was required, see the following https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/westgeorgia/index.html.