Loss of Unencrypted Laptop Leads to $65,000 HIPAA Settlement

The last major settlement of 2019 regarding violations of the Health Insurance Portability and Accountability Act (HIPAA) may not have been the largest penalty of the year; but it nonetheless demonstrates the importance of compliance with HIPAA.

On December 30, 2019, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) announced its settlement with West Georgia Ambulance, Inc. (West Georgia) for potential violations of HIPAA.

After an unencrypted laptop fell off the back bumper of the company’s ambulance, West Georgia submitted a breach report with the OCR. The laptop contained the electronic protected health information (ePHI) of 500 individuals. The OCR’s investigation found the company had continuing non-compliance with the HIPAA Privacy and Security Rules because it failed to:

  • Conduct an accurate and thorough risk analysis of the potential risks and vulnerabilities of the ePHI the company held;
  • Implement a HIPAA security training program and to provide this training to its employees; and
  • Implement policies and procedures required by the HIPAA.

West Georgia agreed to pay $65,000 and adopt a 2-year corrective action plan (CAP) for future potential violations of HIPAA. The CAP includes some of the following remedial measures:

  • Conduct and complete a risk analysis and develop a complete inventory of all electronic equipment;
  • Install HIPAA compliant encryption software on all its computers;
  • Submit proposed training materials to HHS for review and approval, and upon approval by HHS, provide such training to all workforce members; and
  • Adopt and implement written policies and procedures to comply with HIPAA.

Now more than ever, those subject to HIPAA (Covered Entities (CEs)) must continue to comply with these obligations to avoid costly outcomes. ComplianceDashboard offers tools to help CEs navigate through the strict requirements of HIPAA.

 

The information and content contained in this blog post are for general informational purposes only, and does not, and is not intended to, constitute legal advice.

Leave a Reply

Your email address will not be published. Required fields are marked *