<img height="1" width="1" style="display:none;" alt="" src="https://dc.ads.linkedin.com/collect/?pid=293162&amp;fmt=gif">

Ryan Stark | March 5, 2020

Four Actionable Takeaways from the First Ambulance HIPAA Settlement

Written By: Ryan Stark

(2 min read) On December 30, 2019, the Office for Civil Rights (OCR) at the US Department of Health and Human Services announced that a small ambulance service  agreed to pay $65,000 and to adopt a rigorous Corrective Action Plan (CAP) to settle potential HIPAA violations. This was the first time an ambulance service paid a penalty to the government agency for a HIPAA violation. 


What Went Wrong?

An unencrypted laptop with information of 500 patients was left on the bumper of an ambulance. The agency reported the breach to the government, as required, and then OCR took a microscope to their HIPAA policies and procedures. Here’s what the OCR found:

  • They had not performed a HIPAA Security Risk Analysis.
  • They were lacking many security policies and procedures.
  • They did have security awareness training.
  • They did not have encryption on some devices.

Four Simple Compliance Steps You Can Take Today

  1. Ask your HIPAA compliance and IT folks “Have we done a HIPAA Risk Analysis recently, and is it documented?” If not, that’s your first priority. There are a number of companies that perform risk analyses.
  2. Look at your HIPAA training to see whether it incorporates Security Awareness Training. Look for things like training personnel on what e-threats look like and how to report breaches. If your training doesn’t cover Security Awareness, you need to add it or look for a training solution that incorporates it.
  3. Review the HIPAA Security Rule Matrix at the bottom the HIPAA Security Series document and ask whether you have policies for the standards mentioned. If not, you should look for a compliance solution or ask for help in developing these policies.
  4. Ask your IT folks, “Do we encrypt all of our devices?” If not, you need to – now. If the ambulance service named in the HIPAA settlement had encrypted the laptop, they would likely have prevented the situation that led to the fine.

    HIPAA PHI Breach

Help Resources for HIPAA Compliance

Visit the HHS.gov website for information on health information privacy training and resources in implementing privacy and security protections. There are also HIPAA compliance solutions available through law firms and other providers that specialize in this topic.

ZOLL-Pulse-Blog-Logo-FINAL-_Dec17_OL-White 220w

Insights for Informed Decisions

Subscribe to our blog to learn from industry experts on how you can improve performance - operational, clinical and financial.

More About the Author:

Ryan Stark

Ryan Stark is a Managing Partner with Page, Wolfberg & Wirth, and is the firm’s resident “HIPAA guru.” He counsels clients on labor relations, privacy, security, reimbursement, and other compliance matters affecting the ambulance industry. Ryan is passionate about educating EMS professionals and loves collaborating with providers and CEOs alike. He is a featured speaker in PWW seminars and webinars, including the firm’s signature abc360 Conference, where he hosts the abc360 Game Show. Always enthusiastic, Ryan has been invited to speak at many state and regional EMS conferences, as well as national industry events. He is also an adjunct professor at Creighton University in the school’s Master of Science in Emergency Medical Services Program.