The Department of Health and Human Services, Office for Civil Rights (“OCR”) ended 2019 with an agreement with West Georgia Ambulance, Inc. (“WGA”) to resolve potential violations of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”).  

The alleged HIPAA violations arose on December 13, 2012, when WGA reported that an unencrypted laptop fell off an ambulance’s bumper.  WGA attempted unsuccessfully to recover the laptop. About two months later, on February 1, 2013, the ambulance company submitted its HIPAA breach report to OCR and reported that exactly 500 individuals were affected by the breach.  Although OCR automatically investigates reported breaches when over 500 individuals are affected, OCR may also investigate when fewer than 500 individuals are affected, in its discretion. In response to WGA’s reporting, OCR investigated and discovered “long-standing” noncompliance with HIPAA rules.  OCR found that WGA did not perform a risk analysis, have a security program, provide adequate training, or implement HIPAA Security Rule policies and procedures. And, despite OCR’s assistance, WGA allegedly did not take meaningful steps to resolve the HIPAA compliance failures. 

OCR’s agreement with WGA requires a two-year corrective action plan (“CAP”) and a resolution amount of $65,000.  The CAP requires WGA to take numerous actions such as completion of risk analysis, completion of training, installation of HIPAA-compliant software on all computers, and adoption and implementation of written policies and procedures to comply with the Privacy, Security, and Breach Notification Rules.

OCR’s settlement with WGA, a small, local ambulance company that employ only about 64 employees, demonstrates OCR’s willingness to investigate and enforce HIPAA rules against covered entities of all sizes.  “All providers, large and small, need to take their HIPAA obligations seriously,” according to OCR Director, Roger Severino.

According to a report published by IBM Security, in 2019, the average cost of a data breach in the United States was $8.19 million, and the average size of a data breach was over 25,000 records.  The industry with the highest average cost for a databreach was the healthcare industry. The attorneys at Chilivis Grubman have represented companies of all types and sizes in connection with data breaches, including in connection with incident response, government investigations, and class actions lawsuits.  If your company has experienced a data breach, please contact us today.