The HIPAA Privacy Rule went into effect in April 2003. The Security Rule followed in April 2005. Since that time there have been 73 cases resulting in cumulative fines of almost $112 million for healthcare providers who violated those rules.1 However, for more than 14 years, none of those fines hit an ambulance service. That changed on December 20, 2019, when the Office of Civil Rights (OCR) issued a press release announcing a $65,000 penalty to a small Georgia-based ambulance service. Let’s look at that release and unpack the lessons every ambulance service should take.
The press release says the HIPAA breach in this case was caused by “the loss of an unencrypted laptop containing the protected health information of 500 individuals.” A couple of things to note here: First, the number of patients at risk. Anytime a breach affects 500 or more individuals, you have to give notice to all affected individuals; the news media, if the affected individuals all reside in a single jurisdiction; and to the OCR no later than 60 days after discovery of the breach.2 It’s the notice to the OCR that puts your organization under the microscope, because the OCR can and will request and review your HIPAA policies and practices.
Second, the press release uses the word unencrypted. If the data had been encrypted or other security, administrative, or other measures had been taken to ensure a potential breach could not turn into an actual breach, there probably would not have been a penalty. This is because there would not have been an obligation to report to the OCR to begin with, since only an actual breach requires sending the notice. So there are two lessons to learn here: 1) Don’t store lots of patient records locally on a portable device; and 2) encrypt everything.
The press release goes on to say the investigation “uncovered longstanding noncompliance with the HIPAA rules, including failures to conduct a risk analysis, provide a security awareness and training program, and implement HIPAA Security Rule policies and procedures.” First let’s talk about the “risk analysis.” This is something the OCR cites in almost every breach settlement it announces, and it’s one of the first things it will request to review when investigating or auditing a covered entity. This risk analysis document should address every place that protected health information (whether written or electronic) is created, stored, or transmitted, and it should identify exactly how that information is protected at each of those locations. For most healthcare providers, there is a lot of ground to cover in an accurate and thorough risk analysis.
Second, the press release mentions Security Rule training and policies. Note it does not mention HIPAA in general, but specifically the Security Rule. I think many ambulance services got on board with the Privacy Rule when HIPAA came out in 2003, but when everyone began talking about HIPAA again in 2005, when the Security Rule came into play, many thought they had already “done” HIPAA and did not take the steps to comply with its crucial second part.
This is a grave and potentially costly mistake. The Security Rule is a separate rule that requires separate policies and practices. If you think you’re HIPAA-compliant because you get a patient signature and hand out a notice of privacy practices, you have a lot of catching up to do. And as the OCR points out, compliance takes more than having policies on a shelf—it requires active risk assessment and staff training. If you do not have those in place, your company is at risk from a breach and compliance standpoint. Not having Security Rule policies and practices in play means you’re out of compliance with HIPAA.
Finally, the press release concludes with this quote from OCR Director Roger Severino: “The last thing patients being wheeled into the back of an ambulance should have to worry about is the privacy and security of their medical information. All providers, large and small, need to take their HIPAA obligations seriously.” In my opinion this is a thinly veiled warning to the ambulance industry. In the past the OCR has focused much of its efforts on large healthcare entities and their business associates, most of whom have self-reported large breaches. However, this may be changing. With the options of both “desk audits” and on-site audits, the OCR is equipped and ready to review smaller providers, and I believe we will soon see a significant number of desk audits of ambulance services.
HIPAA penalties can be huge. We have seen many in the seven- and eight-figure range, anywhere from $300,000 to $16 million. Even though this first ambulance penalty was a relatively small $65,000, the organization was small and rural, and ability to pay is something the OCR considers. It is likely that penalties assessed to ambulance services in the future will be larger. And even $65,000 should be more than enough reason to make sure your organization is not the next HIPAA headline.
1. Department of Health and Human Services. Health Information Privacy, Enforcement Highlights, www.hhs.gov/hipaa/for-professionals/compliance-enforcement/data/enforcement-highlights/index.html.
2. 45 CFR §164.404, 164.406,164.408(b).
G. Christopher Kelly is a lawyer with Page, Wolfberg & Wirth LLC, a Pennsylvania-based law firm focusing on regulatory healthcare law as it relates to the EMS and ambulance industry. This article is not intended as legal advice. For more information or for assistance with HIPAA compliance, reach Chris at firstname.lastname@example.org.