July 14, 2020

Volume X, Number 196

July 14, 2020

Subscribe to Latest Legal News and Analysis

July 13, 2020

Subscribe to Latest Legal News and Analysis

Administrative Law Judge Upholds Rare $239,800 HIPAA Civil Monetary Penalty Against Home Health Provider

Lincare, Inc., a provider of respiratory care, infusion therapy, and medical equipment to in-home patients, will pay $239,800 in civil money penalties (CMPs) for violating the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule. A U.S. Department of Health and Human Services Administrative Law Judge (ALJ) granted summary judgment to the Office for Civil Rights (OCR) finding that “the undisputed evidence establishes that Lincare violated [the] HIPAA” Privacy Rule and upholding the CMP amount. This is just the second time that OCR has sought CMPs for HIPAA violations.

OCR began investigating Lincare after the estranged husband of a Lincare employee complained his wife allowed him access to the protected health information (PHI) of 278 patients after moving residences and leaving behind the information. Among other actions that were criticized, the Lincare employee kept documents containing patient PHI in her car while her husband had keys to the car and left documents behind in the home when she moved. Lincare did not learn the documents were missing until months later when the employee’s estranged husband reported to Lincare and OCR that he had the documents containing PHI in his possession.

On January 28, 2014, the OCR released its Notice of Proposed Determination. The OCR found three violations of the HIPAA Privacy Rule and issued CMPs for each violation: (1) $25,000 for impermissible disclosure of protected health information in violation of 45 C.F.R. §164.502(a); (2) $25,000 for failure to safeguard protected health information in violation of 45 C.F.R. §164.530(c); and (3) $189,800 for having deficient policies and procedures that allowed workforce members to remove PHI from its premises without appropriately safeguarding the PHI in violation of 45 C.F.R. §164.530(i)(1).

Lincare subsequently challenged the proposed CMPs to the Department of Health and Human Services Departmental Appeals Board. Lincare argued that it should not be held accountable because its employee’s estranged husband “stole” the documents containing PHI. The ALJ rejected this argument and granted summary judgment to the OCR, stating that “[Lincare] was obliged to take reasonable steps to protect its PHI from theft. It violated that obligation when [the employee] took documents out of the office, left them in places (car or home) accessible to [her husband] and then apparently . . . abandoned them entirely.” The ALJ also agreed with the OCR in holding that Lincare failed to develop and implement policies and procedures reasonably designed to protect its patients’ PHI while those documents were out of the office. When asked whether Lincare had considered revising its policies to include specific guidelines for taking PHI out of its offices, the Corporate Compliance Officer responded that Lincare “considered putting a policy together that said thou shalt not let anybody steal your protected health information.” The ALJ did not “consider this a serious response.” Lincare has 30 days to file a notice of appeal.

OCR Director Jocelyn Samuels commented “[w]hile OCR prefers to resolve issues through voluntary compliance, this case shows that we will take the steps necessary, including litigation, to obtain adequate remedies for violations of the HIPAA rules.” The CMPs issued against Lincare is evidence the OCR’s continuing efforts to enforce the HIPAA Privacy Rule. This enforcement action is particularly applicable to home health care providers who transport documents containing PHI into the field. Health care providers should do at least the following to reduce the risk of a HIPAA violation:

  1. Prohibit employees from removing PHI from their premises unless absolutely necessary to do their jobs.

  2. Ensure employees never leave PHI in locked or unlocked cars and never in plain sight.

  3. Ensure employees who must take home PHI secure it at all times and never leave it unattended or accessible to any unauthorized individuals.

  4. Put in place proper policies and procedures to protect patients’ PHI at all times.

  5. Enforce policies regarding safeguarding PHI and make sure employees know you will do so.

  6. Properly and regularly train all employees on HIPAA privacy and security at time of hiring and annually thereafter, or as needed when policies are implemented, updated, or laws change.

© 2020 Dinsmore & Shohl LLP. All rights reserved.National Law Review, Volume VI, Number 36


About this Author

Matthew Arend Litigation Attorney Dinsmore Shohl, privacy, data security

Matt is a member of the Health Care Practice Group, focusing his practice on all aspects of federal and state privacy and data security issues, including HIPAA compliance, breach analyses, and governance. He also routinely advises clients on compliance with federal and state anti-kickback laws, Stark law, Sunshine Act, Medicare Secondary Payer laws, pharmaceutical marketing rules and other regulatory matters. Additionally, his thorough knowledge of the healthcare arena enables him to counsel clients through audits and investigations, as well as providing training and...

Jennifer Mitchell, health care practice group partner, Dinsmore Shohl, law firm,

Jennifer is a Partner in the Health Care Practice Group and leads the firm’s HIPAA Privacy and Security practice and initiatives. In her HIPAA practice, she works with clients to minimize the risk of privacy and data security issues, assisting with all aspects of HIPAA privacy and security compliance, governance, audits/investigations, breach analyses, training and strategic planning. She has a thorough understanding of federal and state privacy and confidentiality laws and has served as a health care privacy expert witness. 

Within the constantly evolving health care legal landscape, in addition to HIPAA, Jen provides health care regulatory and compliance guidance to her clients in areas such as the federal and state anti-kickback laws, Stark law, PPACA (health reform), Sunshine Act, Medicare Secondary Payer laws, pharmaceutical marketing rules, ADA standards, and other laws and regulations impacting her health care clients. 

Jenna Moran, Corporate Attorney, Dinsmore Law Firm

Jenna is a member of the Corporate Department, focusing her practice on health care law. Prior to joining Dinsmore, she served as a judicial extern for Judge Raymond Mitchell in the Circuit Court of Cook County in Chicago. She also worked as a law clerk for Krieg DeVault, LLP in Chicago where she gained experience in regulatory compliance, pharmacy law, Medicare/Medicaid appeals and reimbursement, and health law litigation. Jenna also served as the Symposium Editor for the DePaul Law Review, where she organized the 24th annual DePaul Law Review Symposium bringing...