As we anticipated there was one more OCR settlement announcement before the end of 2019. This one popped in at the end of December and was yet another one in our backyard. The ambulance company settlement seemed simple at first but once we read the details there is a lot to unpack in the CAP. Let’s get to it then.
In this episode:
Ambulance Company Settlement – Ep 237
2020 Sessions Dates Coming Soon
March 24, 25, 26
For info go to TheHIPAABootCamp.com
Share Help Me With HIPAA with one person this week!
Like us and leave a review on our Facebook page: www.Facebook.com/HelpMeWithHIPAA
Ambulance Company Settlement
OCR announced the last HIPAA enforcement settlement in 2019 on Dec 30 with a West Georgia ambulance company. The headline for the announcement made an Ouch kind of statement from the get go. It read:
Ambulance Company Pays $65,000 to Settle Allegations of Longstanding HIPAA Noncompliance
Wow, that hurts. When “longstanding HIPAA noncompliance” is in the title it does not make it sound like they have many nice things to say about what they found in their investigations. Then you read in the short press release where they explain there was a breach reported and OCR talked to them as they usually do but it ends with simple direct statement:
“Despite OCR’s investigation and technical assistance, West Georgia did not take meaningful steps to address their systemic failures.”
Here’s the official quote:
“The last thing patients being wheeled into the back of an ambulance should have to worry about is the privacy and security of their medical information,” said OCR Director Roger Severino. “All providers, large and small, need to take their HIPAA obligations seriously.”
It is important before we go through all this detail to point out the specifics about the company. West Georgia Ambulance, Inc. is the official name of the CE. Doing what most EMS services do. It employs 64 individuals and was founded in 1977. We are not talking about a huge company here.
This is what happened:
On February 11, 2013, the Covered Entity submitted a breach report to OCR that described a breach that occurred on December 13, 2012. The breach occurred when an unencrypted laptop fell off the back bumper of an ambulance. The laptop was not recovered. The Covered Entity reported that exactly 500 individuals were affected by the breach.
OCR’s investigation indicated that the following conduct occurred (“Covered Conduct”):
A. The Covered Entity did not conduct an accurate and thorough risk analysis of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of all of its ePHI.
B. The Covered Entity failed to have a HIPAA security training program, and failed to provide security training to its employees.
C. The Covered Entity has failed to implement Security Rule policies or procedures.
They are paying out $65,000 plus going on a 2 year CAP. But, wow what a CAP it is. They will be building a complete privacy and security program under the watchful eye of OCR every step of the way. Our clients think we are tough! This thing is very specific. So, all of you out there that want to know what steps are required to implement a proper HIPAA program here you go.
Risk Analysis and Risk Management
Conduct and complete an accurate, thorough, enterprise-wide analysis of security risks and vulnerabilities that incorporates all electronic equipment, data systems, programs and applications controlled, administered, owned, or shared by the Covered Entity or its affiliates that are owned, controlled or managed by the Covered Entity that contain, store, transmit or receive the Covered Entity ePHI. As part of this process, the Covered Entity shall develop a complete inventory of all electronic equipment, data systems, off-site data storage facilities, and applications that contain or store ePHI which will then be incorporated in its Risk Analysis.
Within 30 days, submit the scope and methodology by which it proposes to conduct the Risk Analysis. HHS will decide if just the plan is ok. Until they approve this part they aren’t supposed to do the SRA. Once they get the approval they have 120 days to send HHS the SRA. We have trouble getting people to do this process in 6 months with our hand holding.
Then they have the 30-day HHS review and 60-day response loop. We always see. That includes reviewing the SRA until HHS is happy with it.
After the final approval of the SRA from HHS they have 60 days to provide a risk management plan:
The Covered Entity shall develop an organization-wide risk management plan to address and mitigate any security risks and vulnerabilities identified in its risk analysis. The plan shall include a process and timeline for implementation, evaluation, and revision.
At this point you are back to the 30/60 loop until HHS approves their plan. Once approved they will distribute the plan to the team involved with the implementation of the plan. It explicitly says you should perform an annual SRA during the CAP. Do you think after the CAP they can wait 5 years?
Here is the really interesting thing I noted in the requirement to do them annually:
The Covered Entity shall annually conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of e-PHI held by the Covered Entity, affiliates that are owned, controlled, or managed by the Covered Entity, and its engaged business associates, and document the security measures the Covered Entity implemented or is implementing to sufficiently reduce the identified risks and vulnerabilities to a reasonable and appropriate level.
Next they have to submit a training plan. It has to be approved by HHS. Once it is approved all workforce members must be trained within 30 days. New members must be trained within 14 days of employment AND in all cases BEFORE given access to PHI. The company is responsible for ensuring all workforce members must comply with the training requirements including regular training. PLUS, all training must be reviewed annually and updates as needed including information found in audits and reviews of their program.
Policies and Procedures
Here comes another interesting statement when they talk about making sure there are policies and procedures that address all of the Privacy, Security, and Breach notification rules including pointing out the general rules in Part 160. Then it says this bit:
Additionally, in light of HHS’ investigation, particular revision is required to the Covered Entity’s policies and procedures relating to:
i. Business Associates & Business Associate Agreements,
ii. Technical access controls for any and all network/server equipment and systems to prevent impermissible access and disclosure of ePHI,
iii. Technical access control and restriction for all software applications that contain ePHI to ensure authorized access is limited to the minimum amount necessary,
iv. Technical mechanisms to create access and activity logs as well as administrative procedures to routinely review logs for suspicious events and respond appropriately,
v. Termination of user accounts when necessary and appropriate,
vi. Required and routine password changes,
vii. Password strength and safeguarding, and viii. Addressing and documenting security incidents.
Of course, they have to show that they update the P&P that they have now based on findings of their SRA and it must be done within 90 days of approval of their risk management plan. Then, you go into another loop until they are approved by HHS.
A bunch of specifics about making certain that all workforce members review the approved policies and procedures is included and signed off on.
To take it a step further they added in a completely separate section on the minimum content for the P&P that basically says the minimum is everything.
The details hit on BAAs, NPPs, and details on encryption. You really should read the CAP because it is unlike any we have seen before specifically with the level of detail
It is troublesome to see CAPs like these handed out this many years past the HIPAA implementation. They have a lot of work to do under the watchful eye of OCR now. I can assure you it will not be a cake walk for the next couple of years.
Remember to follow us and share us on your favorite social media site. Rate us on your podcasting apps, we need your help to keep spreading the word. As always, send in your questions and ideas!