Trending Topics

HIPAA is another EMS elephant that contributes to EMS leaders’ insomnia

The first-ever HIPAA settlement in EMS cost a service $65,000. What can be done to make sure your agency isn’t next?


Dealing with the issues in the digital age has added a new level of both complexity and risk.

HIPAA is one of those things that keeps EMS chiefs up at night with images of lost equipment, social media photos of patients and clinical forms gently wafting away down the parking lot on the breeze, all breaching the federal covenant we have to keep patient identity and information secure.

On Dec. 30, 2019, the Department of Health and Human Services’ Office for Civil Rights (OCR) announced that a small Georgia ambulance service agreed to pay $65,000 and adopt a demanding corrective action plan to settle potential HIPAA violations. The fine in question has been a long time in the making as a breach report was initially submitted to OCR in 2013 that described an unencrypted laptop falling off the back bumper of an ambulance containing data that affected 500 patients.

The investigation itself uncovered longstanding noncompliance with several aspects of HIPAA rules including failure to conduct an organization-wide risk analysis, failure to implement a security awareness training program for its employees and failure to implement HIPAA Security Rule policies and procedures. To help address its compliance failures, OCR provided technical assistance to resolve identified issues but despite that, no meaningful steps were taken to address the areas of noncompliance and, because of this, financial penalty was therefore warranted.

In addition to paying the $65,000 financial penalty, the service has to adopt a corrective action plan to address all areas of noncompliance discovered by OCR during the investigation. Going forward, OCR will also be scrutinizing the service’s HIPAA compliance program for two years to ensure HIPAA Rules are being followed.

All of the above serves to put agencies on notice that this is a very serious business – a federal issue – and those falling foul of it can expect, eventually, major punishment up to and including jail time. In 2019, OCR imposed 10 HIPAA financial penalties, totaling $12M to resolve noncompliance issues. Without due care and attention, and rigid observance of the rules and regulations, this could be any one’s next headline!

How to prevent HIPAA violations in EMS

HIPAA seems to be a challenging subject for some, the answer is, if in doubt, seek advice. If all else fails, individuals should contact the designated compliance officer, and organizational leadership should seek professional counsel.

Individual strategies to prevent data breaches and HIPAA violations include:

  • Never disclose passwords or share login credentials
  • Never leave portable devices or (paper) documents unattended
  • Do not text patient information
  • Don’t dispose of protected health information with regular trash
  • Never access patient records out of curiosity
  • Don’t take medical records with you when you change jobs
  • Don’t access your own medical records using your login credentials
  • Do not share protected health information on social media (including photos)

Organizational strategies to prevent data breaches and HIPAA violations include:

Having a dedicated EMS attorney firm conduct a detailed risk assessment of your agency’s operations could save your organization a lot of greenbacks or, worse, an orange suit.

Organizations should conduct baseline assessment of compliance with current practices, procedures and rules. This will identify if all is good or any potential exposure within an organization. Within the assessment, the following should be covered:

  • Technical review of HIPAA policies, forms and procedures
  • Risk analysis of the security environment – looking at both IT and physical file security
  • The provision of advice on corrective action for issues identified and, if necessary, HIPAA training both on-site and off for all levels of the workforce and the development of new HIPAA policies and forms as required

Dealing with the issues in the digital age has added a new level of both complexity and risk. My thanks to Steve Wirth and Page, Wolfberg & Wirth for bringing this to my attention – it is too important not to share. This is my take; let me hear yours in the comments section.

Listen: HIPAA Violations - EMS One-Stop with Rob Lawrence

For an audio version of this article, listen below.

[Read next: What keeps EMS CIOs up at night]

Additional HIPAA resources

Learn more about EMS HIPAA violations, prevention and implications with these resources:

Rob Lawrence has been a leader in civilian and military EMS for over a quarter of a century. He is currently the director of strategic implementation for PRO EMS and its educational arm, Prodigy EMS, in Cambridge, Massachusetts, and part-time executive director of the California Ambulance Association.

He previously served as the chief operating officer of the Richmond Ambulance Authority (Virginia), which won both state and national EMS Agency of the Year awards during his 10-year tenure. Additionally, he served as COO for Paramedics Plus in Alameda County, California.

Prior to emigrating to the U.S. in 2008, Rob served as the COO for the East of England Ambulance Service in Suffolk County, England, and as the executive director of operations and service development for the East Anglian Ambulance NHS Trust. Rob is a former Army officer and graduate of the UK’s Royal Military Academy Sandhurst and served worldwide in a 20-year military career encompassing many prehospital and evacuation leadership roles.

Rob is a board member of the Academy of International Mobile Healthcare Integration (AIMHI) as well as chair of the American Ambulance Association’s State Association Forum. He writes and podcasts for EMS1 and is a member of the EMS1 Editorial Advisory Board. Connect with him on Twitter.