Lincare, Inc., a provider of respiratory care, infusion therapy, and medical equipment to in-home patients, will pay $239,800 in civil money penalties (CMPs) for violating the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule. A U.S. Department of Health and Human Services Administrative Law Judge (ALJ) granted summary judgment to the Office for Civil Rights (OCR) finding that “the undisputed evidence establishes that Lincare violated [the] HIPAA” Privacy Rule and upholding the CMP amount. This is just the second time that OCR has sought CMPs for HIPAA violations.

OCR began investigating Lincare after the estranged husband of a Lincare employee complained his wife allowed him access to the protected health information (PHI) of 278 patients after moving residences and leaving behind the information. Among other actions that were criticized, the Lincare employee kept documents containing patient PHI in her car while her husband had keys to the car and left documents behind in the home when she moved. Lincare did not learn the documents were missing until months later when the employee’s estranged husband reported to Lincare and OCR that he had the documents containing PHI in his possession.

On January 28, 2014, the OCR released its Notice of Proposed Determination. The OCR found three violations of the HIPAA Privacy Rule and issued CMPs for each violation: (1) $25,000 for impermissible disclosure of protected health information in violation of 45 C.F.R. §164.502(a); (2) $25,000 for failure to safeguard protected health information in violation of 45 C.F.R. §164.530(c); and (3) $189,800 for having deficient policies and procedures that allowed workforce members to remove PHI from its premises without appropriately safeguarding the PHI in violation of 45 C.F.R. §164.530(i)(1).

Lincare subsequently challenged the proposed CMPs to the Department of Health and Human Services Departmental Appeals Board. Lincare argued that it should not be held accountable because its employee’s estranged husband “stole” the documents containing PHI. The ALJ rejected this argument and granted summary judgment to the OCR, stating that “[Lincare] was obliged to take reasonable steps to protect its PHI from theft. It violated that obligation when [the employee] took documents out of the office, left them in places (car or home) accessible to [her husband] and then apparently . . . abandoned them entirely.” The ALJ also agreed with the OCR in holding that Lincare failed to develop and implement policies and procedures reasonably designed to protect its patients’ PHI while those documents were out of the office. When asked whether Lincare had considered revising its policies to include specific guidelines for taking PHI out of its offices, the Corporate Compliance Officer responded that Lincare “considered putting a policy together that said thou shalt not let anybody steal your protected health information.” The ALJ did not “consider this a serious response.” Lincare has 30 days to file a notice of appeal.

OCR Director Jocelyn Samuels commented “[w]hile OCR prefers to resolve issues through voluntary compliance, this case shows that we will take the steps necessary, including litigation, to obtain adequate remedies for violations of the HIPAA rules.” The CMPs issued against Lincare is evidence the OCR’s continuing efforts to enforce the HIPAA Privacy Rule. This enforcement action is particularly applicable to home health care providers who transport documents containing PHI into the field. Health care providers should do at least the following to reduce the risk of a HIPAA violation:

1. Prohibit employees from removing PHI from their premises unless absolutely necessary to do their jobs.

2. Ensure employees never leave PHI in locked or unlocked cars and never in plain sight.

3. Ensure employees who must take home PHI secure it at all times and never leave it unattended or accessible to any unauthorized individuals.

4. Put in place proper policies and procedures to protect patients’ PHI at all times.

5. Enforce policies regarding safeguarding PHI and make sure employees know you will do so.

6. Properly and regularly train all employees on HIPAA privacy and security at time of hiring and annually thereafter, or as needed when policies are implemented, updated, or laws change.