By EMS1 Staff
WASHINGTON — A Georgia ambulance company agreed to pay $65,000 to the U.S. Department of Health and Human Services’ (HHS) Office of Civil Rights (OCR) to settle a HIPAA noncompliance case involving a lost, unencrypted laptop.
According to the resolution agreement published by HHS, the laptop fell from the back bumper of a West Georgia Ambulance, Inc., rig in 2012 and was never recovered. The company said in their breach report that the laptop contained protected health information (PHI) of 500 individuals.
HHS announced the settlement today, stating that an OCR investigation found “long-standing noncompliance” of HIPAA rules by the company, including failures to conduct a risk analysis, provide a security awareness and training program, and implement HIPAA security policies and procedures.
“The last thing patients being wheeled into the back of an ambulance should have to worry about is the privacy and security of their medical information,” OCR Director Roger Severino said. “All providers, large and small, need to take their HIPAA obligations seriously.”
The resolution agreement also outlines a corrective action plan the company agreed to, which includes implementing proper policies and procedures, providing security training, conducting a company-wide risk analysis and encrypting all of its computers within 30 days of signing the agreement.