HIPAA is another EMS elephant that contributes to EMS leaders’ insomnia
The first-ever HIPAA settlement in EMS cost a service $65,000. What can be done to make sure your agency isn’t next?
HIPAA is one of those things that keeps EMS chiefs up at night with images of lost equipment, social media photos of patients and clinical forms gently wafting away down the parking lot on the breeze, all breaching the federal covenant we have to keep patient identity and information secure.
On Dec. 30, 2019, the Department of Health and Human Services’ Office for Civil Rights (OCR) announced that a small Georgia ambulance service agreed to pay $65,000 and adopt a demanding corrective action plan to settle potential HIPAA violations. The fine in question has been a long time in the making as a breach report was initially submitted to OCR in 2013 that described an unencrypted laptop falling off the back bumper of an ambulance containing data that affected 500 patients.
The investigation itself uncovered longstanding noncompliance with several aspects of HIPAA rules including failure to conduct an organization-wide risk analysis, failure to implement a security awareness training program for its employees and failure to implement HIPAA Security Rule policies and procedures. To help address its compliance failures, OCR provided technical assistance to resolve identified issues but despite that, no meaningful steps were taken to address the areas of noncompliance and, because of this, financial penalty was therefore warranted.
In addition to paying the $65,000 financial penalty, the service has to adopt a corrective action plan to address all areas of noncompliance discovered by OCR during the investigation. Going forward, OCR will also be scrutinizing the service’s HIPAA compliance program for two years to ensure HIPAA Rules are being followed.
All of the above serves to put agencies on notice that this is a very serious business – a federal issue – and those falling foul of it can expect, eventually, major punishment up to and including jail time. In 2019, OCR imposed 10 HIPAA financial penalties, totaling $12M to resolve noncompliance issues. Without due care and attention, and rigid observance of the rules and regulations, this could be any one’s next headline!
How to prevent HIPAA violations in EMS
HIPAA seems to be a challenging subject for some, the answer is, if in doubt, seek advice. If all else fails, individuals should contact the designated compliance officer, and organizational leadership should seek professional counsel.
Individual strategies to prevent data breaches and HIPAA violations include:
- Never disclose passwords or share login credentials
- Never leave portable devices or (paper) documents unattended
- Do not text patient information
- Don’t dispose of protected health information with regular trash
- Never access patient records out of curiosity
- Don’t take medical records with you when you change jobs
- Don’t access your own medical records using your login credentials
- Do not share protected health information on social media (including photos)
Organizational strategies to prevent data breaches and HIPAA violations include:
Having a dedicated EMS attorney firm conduct a detailed risk assessment of your agency’s operations could save your organization a lot of greenbacks or, worse, an orange suit.
Organizations should conduct baseline assessment of compliance with current practices, procedures and rules. This will identify if all is good or any potential exposure within an organization. Within the assessment, the following should be covered:
- Technical review of HIPAA policies, forms and procedures
- Risk analysis of the security environment – looking at both IT and physical file security
- The provision of advice on corrective action for issues identified and, if necessary, HIPAA training both on-site and off for all levels of the workforce and the development of new HIPAA policies and forms as required
Dealing with the issues in the digital age has added a new level of both complexity and risk. My thanks to Steve Wirth and Page, Wolfberg & Wirth for bringing this to my attention – it is too important not to share. This is my take; let me hear yours in the comments section.
Listen: HIPAA Violations - EMS One-Stop with Rob Lawrence
For an audio version of this article, listen below.
[Read next: What keeps EMS CIOs up at night]
Additional HIPAA resources
Learn more about EMS HIPAA violations, prevention and implications with these resources:
- HHS: Helping Entities Implement Privacy and Security Protections
- CMS: HIPAA Basics for providers: privacy, security, and breach notification rules
- HHS: HIPAA FAQs for Professionals
- The HIPAA Guide: HIPAA for dummies
- 5 questions you should ask about your mobile devices
- Why cybersecurity is important for EMS leaders
- How to improve data security in EMS
- EMS leaders should expect, prepare for cyberattack