Laptop Lost from Ambulance Back Bumper Leads to $65,000 HIPAA Settlement | Practical Law

Laptop Lost from Ambulance Back Bumper Leads to $65,000 HIPAA Settlement | Practical Law

The Department of Health and Human Services (HHS), Office for Civil Rights (OCR), announced a $65,000 settlement to address potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) by a Georgia-based ambulance company. The settlement addresses potential HIPAA violations resulting from the loss of an unencrypted laptop containing protected health information (PHI) from the back bumper of one of the company's ambulances. The company must also comply with a two-year corrective action plan.

Laptop Lost from Ambulance Back Bumper Leads to $65, 000 HIPAA Settlement

Practical Law Legal Update w-023-4549 (Approx. 5 pages)

Laptop Lost from Ambulance Back Bumper Leads to $65,000 HIPAA Settlement

by Practical Law Employee Benefits & Executive Compensation
Published on 02 Jan 2020USA (National/Federal)
The Department of Health and Human Services (HHS), Office for Civil Rights (OCR), announced a $65,000 settlement to address potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) by a Georgia-based ambulance company. The settlement addresses potential HIPAA violations resulting from the loss of an unencrypted laptop containing protected health information (PHI) from the back bumper of one of the company's ambulances. The company must also comply with a two-year corrective action plan.
On December 30, 2019, HHS's Office for Civil Rights announced a $65,000 settlement to address potential violations of HIPAA's Security Rule by a Georgia-based ambulance company and HIPAA covered entity (see HIPAA Privacy, Security, and Breach Notification Toolkit). The company, which employees 64 individuals and provides emergency and non-emergency transportation services in Georgia, must also comply with a two-year corrective action plan (CAP).

Loss of Unencrypted Laptop Containing ePHI

In February 2013, the company submitted a breach report concerning the loss of an unencrypted laptop – from the back bumper of one of the company's ambulances – that contained the electronic protected health information (ePHI) of 500 individuals (see Practice Note, HIPAA Breach Notification Rules). The laptop was never recovered. HHS's subsequent investigation revealed that the company failed to:
  • Conduct an accurate and thorough risk analysis of the potential risks to ePHI that it held.
  • Implement policies and procedures concerning HIPAA's Security Rule (see Practice Note, HIPAA Security Rule).
  • Implement a HIPAA security training program and provide training to its workforce members.

Corrective Action Plan Addresses Extensive HIPAA Noncompliance

In addition to the $65,000 payment, the company must comply with a CAP that imposes numerous requirements concerning the company's HIPAA compliance.

Risk Analysis and Risk Management

The CAP requires the company to perform an accurate, thorough, and enterprise-wide risk analysis of potential risks to the ePHI that it holds. The risk analysis must include a complete inventory of all electronic equipment, data systems, off-site data storage facilities, and applications that contain or store ePHI. The scope and methodology of the risk analysis is subject to HHS's approval. Once the company carries out an approved risk analysis, it must also implement an organization-wide risk management plan to address security risks and vulnerabilities identified in the risk analysis.

Training

The company also must submit its proposed HIPAA training materials for workforce members to HHS for approval (see Standard Document, HIPAA Training for Group Health Plans: Presentation Materials). Once the training materials are approved, the company must:
  • Provide training to all workforce members.
  • Require workforce members who receive the training to provide a written or electronic certification confirming that they received the training.
  • Provide routine retrainings using the updated procedures.
  • Review the training materials on an annual basis.

HIPAA Policies and Procedures

The CAP requires the company to adopt and implement written HIPAA policies and procedures that address key provisions under HIPAA's privacy, security, and breach notification requirements. The company's updated HIPAA policies and procedures must reflect specific provisions related to the compliance shortfalls identified in HHS's investigation, including:
  • Business associates (BAs) and BA agreements (see Standard Document, HIPAA Business Associate Agreement).
  • Technical access controls for network/server equipment and systems to prevent impermissible access and disclosure of ePHI (see Practice Note, HIPAA Security Rule: Access Control).
  • Technical access controls and restrictions for software applications containing ePHI (that is, to limit authorized access to the minimum amount necessary).
  • Technical mechanisms to create access and activity logs, and related administrative procedures to routinely review logs for suspicious events and to respond appropriately.
  • Termination of user accounts when necessary and appropriate.
  • Required and routine password changes, and password strength and safeguarding.
  • Addressing and documenting security incidents.
The company must submit its policies and procedures to HHS for approval. Once the policies and procedures are approved, the company must:
  • Adopt, implement, and distribute them to workforce members.
  • Document that its workforce members have read, understood, and agreed to comply with the policies and procedures. Workforce members may not have access to ePHI until this documentation is obtained.

Business Associates, Encryption, and Notice of Privacy Practices

Regarding BAs, the company must provide HHS with:
The CAP also requires the company to encrypt its computers and update its privacy notice (see Standard Document, HIPAA Notice of Privacy Practices for Group Health Plans).

Practical Impact

This is the second HIPAA settlement we've seen in recent months where a covered entity, despite receiving direct technical assistance or an express warning from OCR, chose not to take meaningful action to address HIPAA noncompliance – and paid the price (see Legal Update, HIPAA Breach Notification Failure Leads to $2.175 Million Settlement: Providers Underreported Extent of Breach Incident). HHS characterizes the HIPAA noncompliance in this latest enforcement action as "systemic" and "long-standing." Although the settlement amount is small (relatively speaking), the CAP's list of compliance requirements is wide-ranging. As noted, the CAP sets out minimum content requirements for the company's HIPAA policies that includes line item references to fundamental privacy, security, and breach notification requirements.