On Feb. 11, 2013, a small ambulance service from Georgia reported to the federal government that a laptop fell off the back bumper of one of their ambulances. The government opened an investigation into what happened in response.
Then, the Feds dug deeper.
It wasn’t just the lost laptop that did the agency in. There were other missteps that got them into a $65,000 settlement and two-year corrective action plan.
- No Encryption. The device was an unencrypted laptop. Unencrypted means a lot in HIPAA world. If you lose a device that is encrypted, then the government lets you presume that there has been no breach, because no one can read the encrypted data. That wasn’t the case here.
- No Risk Analysis. The ambulance service had not done a required HIPAA Risk Analysis. Every agency, large or small, must have a documented risk analysis to show the federal government.
- No Security Awareness Training. Part of your HIPAA training needs to include instruction on security issues, like breaches and other “e-threats.” Their training was deficient.
- Lacking Security Policies and Procedures. The service also failed to have some of the required security policies that HIPAA requires you to have in place.
What You Can Do
- Encrypt, encrypt, encrypt. Every device and USB drives should be encrypted if you are going to store health information on it. Ask your IT professionals whether you do that. If not, find out what it will take. Oh, and encrypt your data in motion, like email, too.
- Risk Analysis — Do One! If you haven’t done a full HIPAA Security Risk Analysis, you’re already out of compliance with HIPAA. And the Feds will cite you for it if they investigate you in response to a breach report.
- Train Your Staff to Report Incidents, Immediately. Security awareness training is simple for your staff members — from field providers or administrative staff. If anything is lost, stolen hacked, or “phishy,” report it immediately — no matter how small. Tell your folks not to wait because your agency may be able to remotely lock a device as soon as they’ve realized it’s lost. Oh, ask your IT folks what your remote locking and disabling capabilities are for your mobile devices.
- Audit Your Policies. There are certain policies you must have in place. If you don’t know what they are, get help. Not having a policy also means your out of compliance with HIPAA.
Remember breach notice puts your organization under the microscope because the government can and will request and review your HIPAA policies and practices (including your Risk Analysis). You could be one event away from a fine. Get your HIPAA house in order.
More EMS Lawline Reading
Ryan Stark is a partner of Page, Wolfberg & Wirth, LLC and is a nationwide HIPAA Privacy and Security expert in EMS. If you’ve got a question, reach out at firstname.lastname@example.org or 717-620-2687.
For 20 years, PWW has been the nation’s leading EMS industry law firm. PWW attorneys and consultants have decades of hands-on experience providing EMS, managing ambulance services and advising public, private and nonprofit clients across the U.S. PWW helps EMS agencies with reimbursement, compliance, HR, privacy and business issues, and provides training on documentation, liability, leadership, reimbursement and more. Visit the firm’s website at www.pwwemslaw.com.”¯”¯”¯