OCR reaches HIPAA settlement with ambulance company

The Department of Health and Human Services’ Office for Civil Rights has announced that West Georgia Ambulance has agreed to settle agency allegations of longstanding HIPAA noncompliance.


The Department of Health and Human Services’ Office for Civil Rights has announced that West Georgia Ambulance has agreed to settle agency allegations of longstanding HIPAA noncompliance.

West Georgia Ambulance, which provides emergency and non-emergency medical services in Carroll County, will pay $65,000 to OCR and adopt a corrective action plan as part of a settlement for potential violations of the HIPAA Security Rule.

According to OCR, the agency’s investigation was initiated after the ambulance company filed a breach report in 2013 concerning the loss of an unencrypted laptop containing protected health information for 500 people. The breach occurred when the unencrypted laptop fell off the back bumper of an ambulance—the computer was not recovered.


“OCR’s investigation uncovered longstanding noncompliance with the HIPAA Rules, including failures to conduct a risk analysis, provide a security awareness and training program, and implement HIPAA Security Rule policies and procedures,” states the agency’s announcement.

In addition, the agency notes that “despite OCR’s investigation and technical assistance, West Georgia did not take meaningful steps to address their systemic failures.”

“The last thing patients being wheeled into the back of an ambulance should have to worry about is the privacy and security of their medical information,” said OCR Director Roger Severino in a written statement. “All providers, large and small, need to take their HIPAA obligations seriously.”

As part of its settlement with OCR, West Georgia Ambulance has agreed to undertake a corrective action plan that includes two years of monitoring. The OCR-West Georgia resolution agreement and corrective action plan can be found here.

“This agreement is not an admission of liability by the covered entity,” states the document. “This agreement is not a concession by HHS that the covered entity is not in violation of the HIPAA Rules and that the covered entity is not liable for civil money penalties.”

More for you

Loading data for hdm_tax_topic #better-outcomes...