West Georgia Ambulance, Inc. (West Georgia), has agreed to pay $65,000 to the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) and to adopt a corrective action plan to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Security Rule. West Georgia is an ambulance company that provides emergency and non-emergency ambulance services in Carroll County, Georgia.
OCR began its investigation after West Georgia filed a breach report in 2013 concerning the loss of an unsecured laptop containing the protected health information (PHI) of 500 individuals. OCR’s investigation uncovered long-standing noncompliance with the HIPAA Rules, including failures to conduct a risk analysis, provide a security awareness and training program, and implement HIPAA Security Rule policies and procedures. Despite OCR’s investigation and technical assistance, West Georgia did not take meaningful steps to address their systemic failures.