[BreachExchange] Ambulance Company Slapped With HIPAA Fine

Destry Winant destry at riskbasedsecurity.com
Fri Jan 3 10:08:35 EST 2020


https://www.databreachtoday.com/ambulance-company-slapped-hipaa-fine-a-13572

Federal regulators have smacked a Georgia-based ambulance company with
a $65,000 financial settlement and corrective action plan in a case
involving "longstanding" HIPAA compliance issues.

In a statement issued Monday, the Department of Health and Human
Services said it had reach a settlement with West Georgia Ambulance
after an HHS Office for Civil Rights investigation into a breach
reported in February 2013.

The Carrollton, Ga.-based company, which provides ambulance services
in Carroll County, reported that the incident involved the loss of an
unencrypted laptop containing the protected health information of 500
individuals.

OCR's says its investigation "uncovered longstanding noncompliance"
with the HIPAA rules, including failures to conduct a risk analysis,
provide a security awareness and training program and implement HIPAA
Security Rule policies and procedures.

"Despite OCR's investigation and technical assistance, West Georgia
did not take meaningful steps to address their systemic failures," OCR
says.

"The last thing patients being wheeled into the back of an ambulance
should have to worry about is the privacy and security of their
medical information," says OCR Director Roger Severino. "All
providers, large and small, need to take their HIPAA obligations
seriously."

Corrective Action Plan

Under its resolution agreement with OCR, West Georgia Ambulance will
undertake a corrective action plan that includes two years of
monitoring by the agency.

The corrective action plan requires the ambulance company to:

- Conduct an enterprisewide analysis of security risks and
vulnerabilities that incorporates all electronic equipment, data
systems, programs and applications;
- Develop and implement an organizationwide risk management plan to
address and mitigate any security risks and vulnerabilities
identified;
- Adopt and implement written policies and procedures to comply with
the HIPAA privacy, security and breach notification rules, including
those related to business associates and business associate
agreements, technical access controls and authentication;
- Distribute to its workforce its updated policies and procedures and
provide related training;
- Install HIPAA-compliant encryption software on all computers.

West Georgia Ambulance did not immediately respond to Information
Security Media Group's request for comment.

Investigations Take Time

It's not unusual for OCR to take several years to announce a HIPAA
settlement, some observers say.

"OCR can take up to the full six-year, statute of limitations to
resolve [potential violations], which most HIPAA covered entities and
business associates don't realize," says privacy attorney Iliana
Peters of the law firm Polsinelli.

"Even if an entity does not end up paying a settlement amount or a
civil money penalty, the investment of resources over time in
responding to OCR data requests and in ensuring updated compliance
efforts can be significant," says Peters, a former senior enforcement
leader at OCR. "Entities are well served by doing the best they can
with regard to HIPAA compliance before an OCR investigation, or at the
beginning of the investigation, such that any investigation can be
resolved quickly."

Privacy attorney David Holtzman of security consulting firm
CynergisTek offers a similar assessment.

"The HIPAA Enforcement Rule prioritizes efforts by OCR to resolve
violations of the rule informally, through voluntary corrective
action," he notes. "As we have seen over the years, formal enforcement
actions taken by the agency are littered with references to attempts
they have made to work with the covered entity or business associate
to mitigate the effects when there has been a breach, take the
necessary steps to adopt policies and procedures called out by the
standards, and, when appropriate, apologize to consumers whose PHI was
used or disclosed without their authorization."

"Recent breach report numbers from OCR indicate that entities are
doing a much better job of encrypting devices ... but there is still
more work to be done there."
—Iliana Peters, Polsinelli

Organizations need to be aware of "the damage than can be done to
their reputations and bank account by choosing to bury their head in
the sand when OCR offers the opportunity to fix a HIPAA compliance
problem," Holtzman says.

Safe Harbor

Healthcare organizations need to remember that "encryption is key to
risk avoidance by HIPAA covered entities and business associates,
given that encryption to National Institute of Standards and
Technology standards is a safe harbor under the HIPAA Breach
Notification Rule," Peters notes.

Under the safe harbor, for example, if an encrypted device containing
patient information is stolen, that's not a reportable breach.

"Recent breach report numbers from OCR indicate that entities are
doing a much better job of encrypting devices, given the percentage of
reports involving theft and loss of such devices has decreased
significantly over time, but there is still more work to be done
there," she says.

Holtzman notes that breaches reported to HHS caused by lost or stolen
devices on which unencrypted ePHI is stored "are down by more than 50
percent since reporting began in 2010."

He offers two theories as to why: "First, many device manufacturers
are encrypting data on storage media right out of the box. Second,
more data being stored in the cloud means there is less risk of
compromise when a smartphone or tablet is lost because there is a
minimum of data left on the device."

Risk Analysis a Must

The necessity to conduct a thorough, timely enterprisewide risk
analysis has been highlighted repeatedly by OCR at public events, in
guidance materials and especially in its HIPAA enforcement cases over
the last several years. So why do so many covered entities and
business associates still fail to conduct a proper HIPAA security risk
analysis?

"The problem is two-fold," Peters says. "First, many entities don't
understand the requirements and rely on vendors that also don't
understand the requirements. As a result, even despite efforts, they
end up with a gap analysis or audit, instead of a risk analysis.
Second, many entities that do understand the requirements do not want
to invest the time and resources necessary to ensure that they
understand all of the risks to all of the ePHI in their enterprises."

Many smaller organizations still fail to adequately safeguard
sensitive data, Holtzman contends.

"There is no easy fix. Many small healthcare organizations face
substantial barriers that prevent obtaining the funds to pay for
information security assessments," he says. "They lack awareness of
regulatory requirements and the availability of qualified service
providers for small businesses.

"A good first step would be for government agencies, like the Federal
Trade Commission and HHS, to make a combined effort to reach out to
small treatment and service providers with resources and training."

Other Enforcement Actions

The settlement with West Georgia Ambulance, announced Monday but
completed last year, was OCR's ninth HIPAA enforcement action in 2019.
That includes seven settlements and two civil monetary penalty cases -
containing a combined total of about $13 million in fines.

West Georgia Ambulance's settlement was OCR's third HIPAA enforcement
action in December. Earlier last month, OCR announced a $2.2 million
settlement with Norfolk, Va.-based Sentara Hospitals in a case
involving improperly reporting a breach and lacking a business
associate agreement.

OCR also announced in December an $85,000 settlement with Korunda
Medical, a Naples, Florida-based company that provides comprehensive
primary care and interventional pain management to approximately 2,000
patients annually.

That settlement was OCR's second HIPAA settlement case in 2019
involving the agency's ramped up focus on enforcing patients' right
under HIPAA to access their health information.


More information about the BreachExchange mailing list