Written By: Ryan Stark

(2 min read) On December 30, 2019, the Office for Civil Rights (OCR) at the US Department of Health and Human Services announced that a small ambulance service  agreed to pay $65,000 and to adopt a rigorous Corrective Action Plan (CAP) to settle potential HIPAA violations. This was the first time an ambulance service paid a penalty to the government agency for a HIPAA violation. 

What Went Wrong?

An unencrypted laptop with information of 500 patients was left on the bumper of an ambulance. The agency reported the breach to the government, as required, and then OCR took a microscope to their HIPAA policies and procedures. Here’s what the OCR found:

• They had not performed a HIPAA Security Risk Analysis.
• They were lacking many security policies and procedures.
• They did have security awareness training.
• They did not have encryption on some devices.

Four Simple Compliance Steps You Can Take Today

1. Ask your HIPAA compliance and IT folks “Have we done a HIPAA Risk Analysis recently, and is it documented?” If not, that’s your first priority. There are a number of companies that perform risk analyses.
2. Look at your HIPAA training to see whether it incorporates Security Awareness Training. Look for things like training personnel on what e-threats look like and how to report breaches. If your training doesn’t cover Security Awareness, you need to add it or look for a training solution that incorporates it.
3. Review the HIPAA Security Rule Matrix at the bottom the HIPAA Security Series document and ask whether you have policies for the standards mentioned. If not, you should look for a compliance solution or ask for help in developing these policies.
4. Ask your IT folks, “Do we encrypt all of our devices?” If not, you need to – now. If the ambulance service named in the HIPAA settlement had encrypted the laptop, they would likely have prevented the situation that led to the fine.
   
   

Help Resources for HIPAA Compliance

Visit the HHS.gov website for information on health information privacy training and resources in implementing privacy and security protections. There are also HIPAA compliance solutions available through law firms and other providers that specialize in this topic.