Ambulance Company Pays $65,000 Financial Penalty for Multiple HIPAA Violation Cases

The Department of Health and Human Services Office for Civil Rights (OCR) issued a financial penalty amounting to $65,000 to West Georgia Ambulance, Inc. to settle its multiple Health Insurance Portability and Accountability Act violations.

OCR’s investigation of the ambulance company in Carroll County, GA began after seeing the breach notification submitted on February 11, 2013 concerning the missing unencrypted laptop computer that carries the 500 patients’ protected health information (PHI). The breach report mentioned the failure of the company to retrieve the laptop computer, which fell off the ambulance’s rear bumper.

OCR’s investigation revealed that the company has longstanding noncompliance with some HIPAA Rules. West Georgia Ambulance was found in violation of the following:

  • 45 C.F.R. § 164.308(a)(1)(ii)(A) for failure to conduct a complete, company-wide risk analysis
  • 45 C.F.R. § 164.308(a)(5) for not giving its employees a security awareness training program
  • 45 C.F.R. § 164.316 for not enforcing HIPAA Security Rule policies and procedures

OCR provided technical help to West Georgia Ambulance to make it possible for the company to take care of its compliance problems, but even with that support, OCR claimed that the company did not make any meaningful step to resolve its noncompliance. Consequently, OCR issued a financial penalty.

Aside from the $65,000 financial penalty that should be paid, West Georgia Ambulance must follow a corrective action plan to fix all areas of noncompliance found by OCR. For two years, West Georgia Ambulance’s HIPAA compliance program will be under OCR’s strict monitoring to make sure it complies with the HIPAA Rules.

Patients using an ambulance’s services shouldn’t have any worries about the privacy and security of their medical information. All healthcare providers, whether big or small, should take their HIPAA responsibilities seriously.

This is OCR’s 10th HIPAA financial penalty passed in 2019. OCR got paid a total of $12,274,000 in financial fines for the resolution of noncompliance issues in 2019.