Lost Laptop Results in Aggressive CAP for Ambulance Company

313406 ambulanceSo, I listened to this episode of the Help Me with HIPAA podcast twice because there was just so much information. Here is the skinny on the story.  West Georgia Ambulance has been in business since 1977, way before HIPAA was a thing.  It is a small company of only 64 employees.  They reported to OCR that they had lost an unencrypted laptop.  The last time anyone could remember having the laptop, it was on the back of an ambulance.  So it must have just fallen off the back of the ambulance.  This event reportedly occurred on December 13, 2012 and the breach was reported to OCR on February 11, 2013.  Hummmm that is 60 days between the event and the report date.  We all know that HIPAA requires you to report a breach that affects 500 or more individuals to the Secretary no later than 60 days…”things that make you go hmmm”.  The ambulance company reported that exactly 500 individuals were affected by the breach. More things that make you go hmmmm. OCR’s found during their investigation of this incident that West Georgia Ambulance did not do an accurate and thorough risk analysis.   They did not have a HIPAA training program for their employees. They did have security policies and procedures, but they did not implement them. How good is a policy and a procedure if no one knows about it?  So, OCR’s investigation uncovered long standing HIPAA noncompliance (that doesn’t sound good!) and fined West Georgia Ambulance $65,000.  The ambulance company also agreed to a 2 year corrective action plan (CAP) with OCR. This means that West Georgia Ambulance will be building a complete privacy and security program in a short period of time and all under the watchful eye of OCR.  Talk about pressure!  The biggest take away that Donna and David talk about in this episode is the breakdown of what West Georgia Ambulance is going to have to do to satisfy OCR and it’s not just requiring West Georgia Ambulance to sweep up around their own doorstep.  It goes into what they have to make sure their Business Associates are doing.

This is my nugget to you.  If you think you don’t have time to or the money to do an assessment, develop policies and procedures that your organization will follow, or to do a thorough security risk analysis… listen to this episode.  You may realize you need to find the time and money.  Remember, OCR fined them for “long standing HIPAA noncompliance.” All it takes for OCR to come knocking on your door and investigate your compliance program is one phone call to OCR with a complaint or, heaven forbid, you have to report a breach!  $65,000 may not sound like a lot to you, but it was a lot to this small ambulance company with only 64 employees.  You can bet OCR will make it hurt for any organization that has a “long standing HIPAA noncompliance.”