In the waning days of 2019, the HHS Office for Civil Rights (OCR) didn’t halt the HIPAA enforcement momentum it had built up during the last quarter of the year, dinging both a health care provider for late access to records—its second of this type—and an ambulance company—its first, but for common problems such as a lack of a security risk assessment.
In addition to 10 enforcement actions that collectively brought[1] OCR $12,270,00, 2019 was a noteworthy year beyond just those entities unlucky or unfortunate enough to feel the regulator’s sting. OCR also gave the health care community a gift of sorts when it determined[2] in May that it would slice the annual maximum fine of $1.5 million that it had been imposing for lower tier infractions, and would keep that amount for just the worst offenses falling into the “willful neglect” category.
On Dec. 12, OCR announced an $85,000 settlement with Korunda Medical LLC of Florida for what OCR said was the medical practice’s failure earlier in 2019 to adequately comply with a patient’s request for access to her medical records. Korunda also agreed to a one-year corrective action plan (CAP).[3]
The most recent settlement, and the last of 2019, was announced Dec. 30.
West Georgia Ambulance Inc. agreed[4] to pay $65,000 and comply with a two-year CAP. OCR accused the private ambulance firm of “failures to conduct a risk analysis, provide a security awareness and training program, and implement” policies and procedures in compliance with the security rule.
“Despite OCR’s investigation and technical assistance, West Georgia did not take meaningful steps to address their systemic failures,” the agency alleged.
The payment and CAP resolve an ordeal for West Georgia that began almost seven years earlier to the day when it reported that an unencrypted laptop “fell off the back bumper of an ambulance,” a loss that affected the protected health information (PHI) of 500 individuals. Founded in 1977, West Georgia “provides emergency and nonemergency transportation services in Carroll County” with the aid of its 64 employees, according to OCR.
West Georgia notified OCR of the mishap on Dec. 13, 2012. West Georgia CEO Steve Adams signed off on the settlement on Dec. 23, 2019. Adams did not respond to a phone message left by RPP requesting comment on the settlement.
Following the breach report, OCR’s subsequent investigation revealed that West Georgia “did not conduct an accurate and thorough risk analysis of the potential risks and vulnerabilities to the confidentiality, integrity, and availability” of all of its electronic PHI, “failed to have a HIPAA security training program, and failed to provide security training to its employees,” and also did not implement security rule “policies or procedures.”
The agency didn’t say whether it found any issues with West Georgia’s privacy rule compliance efforts or breach notification, the other two prongs in the trio of HIPAA’s required safeguards. But it is requiring changes to its notice of privacy practices (NPP) and updates related to business associate agreements, activities OCR doesn’t always include in CAPs.
Thirty Days to Encrypt
Specifically, West Georgia must “conduct and complete an accurate, thorough, enterprise-wide analysis of security risks and vulnerabilities that incorporates all electronic equipment, data systems, programs and applications controlled, administered, owned, or shared by [West Georgia] or its affiliates that are owned, controlled or managed by [West Georgia] that contain, store, transmit or receive” its PHI.
It also has to “develop a complete inventory of all electronic equipment, data systems, off-site data storage facilities, and applications that contain or store ePHI which will then be incorporated in its Risk Analysis.” It subsequently must create a “corresponding management plan” to address identified risks.
OCR gave West Georgia two specific tasks to complete in short order (30 days): “ install HIPAA compliant encryption software on all of its computers” and revise its NPP to reflect changes that OCR required as of 2013, such as greater clarification on the types of uses and disclosures that require patient authorization.
The agency also noted that, “in light of HHS’ investigation, particular revision is required” to West Georgia’s policies and procedures relating to business associates (BAs) and business associate agreements (BAAs).
CAP Requires ‘Technical’ Controls
Specifically, OCR required West Georgia, within 60 days of signing the settlement, “to review all relationships with vendors and third party service providers to identify business associates,” and submit to OCR “an accounting” of all BAs, “to include the names of business associates, a description of services provided, the date services began, and a description” of how the BA handles or interacts with West Georgia’s PHI.
OCR also wants copies of BAAs.
Under the CAP, revisions are also necessary for the following:
-
“Technical access controls for any and all network/server equipment and systems to prevent impermissible access and disclosure of ePHI,
-
“Technical access control and restriction for all software applications that contain ePHI to ensure authorized access is limited to the minimum amount necessary,
-
“Technical mechanisms to create access and activity logs as well as administrative procedures to routinely review logs for suspicious events and respond appropriately,
-
“Termination of user accounts when necessary and appropriate,
-
“Required and routine password changes,
-
“Password strength and safeguarding, and
-
“Addressing and documenting security incidents.”
As is common with CAPs, West Georgia must train its workers on any new policies and procedures and notify the agency in writing within 30 days of any violations of HIPAA policies generally, as well as submit an annual report in each of the two years.