There was a case that settled last December that apparently slipped passed me. Because it involves a topic I get asked about regularly (HIPAA), and about which there is a lot of misinformation, I want to be sure it is mentioned here even though belatedly.
The case is a good example of what HIPAA is really focused on: ensuring EMS providers have taken adequate precautions to protect electronically stored confidential patient information – referred to as electronic protected health information (ePHI). All too often, firefighters tend to think that HIPAA is aimed at limiting what we can discuss about the patients we treat.
On December 13, 2012, an unencrypted laptop computer containing protected health information (PHI) fell off the back bumper of an ambulance belonging to West Georgia Ambulance Inc. The device was never recovered. As a result, ePHI from 500 patients was potentially compromised.
As required by the Health Insurance Portability and Accountability Act, the provider notified the United States Department of Health and Human Services (HHS) Office for Civil Rights (OCR) of the breach. OCR conducted an investigation and found that West Georgia Ambulance violated several HIPAA requirements, including:
- “did not conduct an accurate and thorough risk analysis of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of all of its ePHI”
- “failed to have a HIPAA security training program, and failed to provide security training to its employees.”
- “failed to implement Security Rule policies or procedures.”
On December 23, 2019, OCR and West Georgia Ambulance entered into a “resolution agreement” in which the EMS provider agreed to pay OCR $65,000 as a “resolution amount” and commit to a “corrective action plan”. That plan is insightful because it outlines what EMS providers should be doing to ensure they are compliant with HIPAA.
The full corrective action plan is attached, and I urge all EMS providers to review it. Among the most important requirements are that providers:
- conduct and complete an accurate, thorough, enterprise-wide analysis of security risks and vulnerabilities that incorporates all electronic equipment, data systems, programs and applications controlled, administered, owned, or shared by the Covered Entity or its affiliates that are owned, controlled or managed by the Covered Entity that contain, store, transmit or receive the Covered Entity ePHI.
- develop a complete inventory of all electronic equipment, data systems, off-site data storage facilities, and applications that contain or store ePHI which will then be incorporated in its Risk Analysis.
- develop an organization-wide risk management plan to address and mitigate any security risks and vulnerabilities identified in its risk analysis.
- adopt and implement written policies and procedures to comply with the Privacy, Security, and Breach Notification Rules, pursuant to 45 C.F.R. Part 160 and Subparts A, C and E of Part 164.
- Additionally,
in light of HHS’ investigation, particular revision is required to the Covered
Entity’s policies and procedures relating to:
- Business Associates & Business Associate Agreements,
- Technical access controls for any and all network/server equipment and systems to prevent impermissible access and disclosure of ePHI,
- Technical access control and restriction for all software applications that contain ePHI to ensure authorized access is limited to the minimum amount necessary,
- Technical mechanisms to create access and activity logs as well as administrative procedures to routinely review logs for suspicious events and respond appropriately,
- Termination of user accounts when necessary and appropriate,
- Required and routine password changes,
- Password strength and safeguarding, and
- Addressing and documenting security incidents.
- [All policies and procedures to be approved by HHS OCR
- [All workforce members shall be trained on the approved policies and procedures
- [All new workforce members shall be trained on the approved policies and procedures upon hiring
- [All workforce members shall review the training material annually
- [Workforce members shall certify “in electronic or written form” that they received the training.]
Here is a copy of the Resolution Agreement, which includes the Corrective Action Plan as an appendix.
It should be noted that the “resolution amount” here, $65,000, is a modest one. There are health care providers who have been fined in the millions. Take a look at HIPAA News Releases.