Small Healthcare Providers Can Face Huge HIPAA Violation Fines
In 2013, West Georgia Ambulance underwent an OCR investigation following the loss of an unencrypted laptop that contained the data of approximately 500 patients. During that investigation, it was discovered that West Georgia Ambulance had quite a few ongoing HIPAA violations, including the following:
- Failure to conduct a risk analysis to uncover potential risks and vulnerabilities to ePHI.
- Failure to implement appropriate HIPAA security rule policies and procedures
- Failure to provide security awareness training to the workforce
What happened next is a prime example of the fact that even small healthcare providers can face HUGE fines for HIPAA violations. West Georgia Ambulance, a company that provides services throughout Carroll County, Georgia, must pay a $65,000 civil monetary settlement to the Department of Health and Human Services Office for Civil Rights. They also must adopt a corrective action plan to resolve the violations.
OCR is Cracking Down on HIPAA Violations… Are You Prepared for an Audit?
In the past few years, there has been a massive number of settlements for HIPAA violations. The OCR is cracking down, regardless of location or size, on healthcare providers that aren’t following the rules and regulations. It’s more important than ever before to ensure you’re maintaining compliance at all times – protecting ePHI against any sort of unauthorized access and/or disclosure.
OCR Director Roger Severino expressed his thoughts on the situation, “The last thing patients being wheeled into the back of an ambulance should have to worry about is the privacy and security of their medical information. All providers, large and small, need to take their HIPAA obligations seriously.”
What Corrective Action Plan is West Georgia Ambulance Required to Follow?
West Georgia Ambulance is following a corrective action plan designed to improve risk analysis and management, policies and procedures, security training, and business associate agreements. They are required to:
- Perform a thorough analysis of security risks and vulnerabilities throughout their entire environment.
- Send the scope and methodology of its risk analysis to OCR within 30 days to ensure it’s consistent.
- Review and revise all security training policies and procedures and submit the proposed materials to HHS for approval.
- Train their entire workforce on the new policies and procedures upon approval from HHS within 30 days.
- Provide security training to all future employees within 14 days of starting with written verification from staff that they’ve been trained.
Naturally, this will be a time-consuming, costly process for their company. In addition to the hefty fine they must pay, they will spend the next couple of months sorting through and completing each aspect of the corrective action plan. This is yet another case that highlights the importance of ensuring compliance before an audit happens. It’s much easier and more cost-effective to ensure compliance on your own time.
Need help protecting ePHI in accordance to HIPAA? Contact us at (615) 600-4411 now. Kraft Technology Group is the leading healthcare IT services company in Nashville, TN.