The Health Insurance Portability and Accountability Act of 1996, Public Law 104-191 and the regulations promulgated thereunder (“HIPAA”) should be now well-known to health care providers and health plans. Under HIPAA’s “Privacy Rule,” covered entities must take steps to “reasonably safeguard” protected health information (“PHI”) from any “intentional or unintentional use or disclosure that is in violation of the standards, implementation specifications or other requirements” of the Privacy Rule. What is also becoming painfully clear is the growing financial and reputational risks to covered entities (and business associates) from a breach of HIPAA’s Privacy or Security Rules stemming from unauthorized access or disclosure of PHI.
A recent ruling by a U.S. Department of Health and Human Services Administrative Law Judge (“ALJ”) in the case of Director of the Office for Civil Rights v. Lincare, Inc., (Decision No. CR4505, Jan. 13, 2016), underscores the substantial penalties that a health care provider can face, even for relatively small-scale HIPAA violations, particularly if the provider determines to not settle with the Office of Civil Rights (“OCR”) and instead contests the claimed violations. In Lincare, a home care agency was found to have violated the Privacy Rule when an unauthorized person (the husband of a home health employee) was able to access patient records after the employee had removed records from the agency and taken them into the field as part of her job. Specifically, the ALJ upheld a civil monetary penalty (“CMP”) of $239,800 imposed by OCR – only the second time the OCR has sought CMPs for violations of HIPAA’s Privacy Rule. In a unique twist, OCR was alerted to the improper disclosures when the “estranged husband” of an employee of the home care agency complained to OCR that his wife allowed him to access documents containing PHI when she moved out of the marital home and left patient records behind.
Lincare Home Care Agency. The respondent Lincare, Inc., d/b/a United Medical (“Lincare”) supplies respiratory care, infusion therapy, and medical equipment to patients in their homes. Lincare operates more than 850 branch locations in 48 states. As Lincare explained, because its employees provide services in the homes of patients, they often remove patient records containing PHI from its branch locations. Additionally, according to Lincare, managers of the various Lincare branch offices are required to maintain in their vehicles copies of Lincare’s “Emergency Procedures Manual,” which contains PHI of Lincare patients, so that employees could access patient contact information if an office was destroyed or otherwise inaccessible.
PHI at Issue. Faith Shaw was a Lincare branch manager in Wynne, Arkansas from October 2005 until July 2009 and maintained the “Emergency Procedures Manual,” with PHI of 270 Lincare patients, as well as patient-specific documents of eight Lincare patients. The patient records and Manual were apparently hard copies, and not electronically secured through encryption or authentication.
Disclosure of the PHI. Ms. Shaw kept the records containing PHI in her car and in her marital home, where her husband lived. After a falling out with her husband Richard in August 2008, Ms. Shaw moved out of the marital home and left the documents containing the PHI behind in her home and car. In November of 2008, Mr. Shaw, who was concededly not authorized to access the Lincare PHI, reported to Lincare and OCR that he had in his possession the Emergency Procedures Manual and the eight patient files left behind by his wife.
OCR’s Investigation and Action. Following its investigation, OCR determined that Ms. Shaw: (a) kept the PHI either in her vehicle or home, to which Mr. Shaw had access; (b) maintained the PHI without proper safeguards, (c) knew or reasonably should have known that the manner in which she kept the PHI did not reasonably safeguard such PHI, and (d) knew or reasonably should have known that Mr. Shaw had ready access to the PHI. While acknowledging that the provision of home care services may require providers to remove PHI from their offices, OCR found that Lincare’s policies and procedures did not adequately instruct its employees how to maintain PHI taken off the premises in a safe and secure manner and that Lincare did not properly record or track removed PHI. Unlike the majority of HIPAA violations cited by OCR against providers, Lincare did not settle with OCR and instead determined to contest OCR’s charges.
In the absence of a settlement, OCR cited the following “aggravating” factors for imposing a substantial CMP against Lincare:
The length of time Lincare allowed employees to transport PHI away from the office without appropriate and reasonable safeguards; and
Lincare’s failure to promptly review and enhance its HIPAA policies for safeguarding PHI taken off premises even after it was notified of the improper disclosure.
Accordingly, OCR sought to impose a CMP totaling 239,800 for Lincare’s alleged violations of HIPAA’s Privacy Rule, broken down as follows:
Impermissibly disclosing PHI: OCR determined that Lincare had improperly disclosed PHI of 278 patients in November of 2008, which then carried a penalty of $100 per patient. OCR imposed a penalty of $25,000 – the maximum penalty that could be applied in the 2008 calendar year.
Failure to safeguard PHI: OCR determined that the failure to safeguard the PHI lasted from February 1, 2008 through November 17, 2008, which carried a penalty of $100 per day. OCR imposed an additional penalty of $25,000 – the maximum penalty that could be applied in the 2008 calendar year.
Failure to implement policies and procedures to ensure compliance with the Privacy Rule: OCR determined that Lincare’s failure continued from (a) February 1, 2008 through December 31, 2008, at a penalty of $100 per day, with a maximum of $25,000 per calendar year, (b) January 1, 2009 through February 17, 2009, at a penalty of $100 per day, which totaled $4,800, and (c) from February 18, 2009 through July 28, 2009, during which time, penalty amounts were increased pursuant to the adoption of the HITECH Act, and which OCR determined to be $1,000 per day, totaling $160,000.
Significantly, in effectively stacking CMPs for separate HIPAA violations, one on top of another—although arising from the same breach or continued breach—OCR was able to multiply the aggregate size of penalties to $239,800. At the same time, OCR determined that there was no basis to waive the imposition of the CMP because there was no evidence that the payment of a CMP would be excessive relative to the violations that it found.
Lincare appealed OCR’s determination before an ALJ. OCR moved for summary judgment, arguing that there was no genuine issue of material fact concerning the HIPAA violations and that it was entitled to impose the aggregate CMP as a matter of law.
The ALJ’s Analysis
The ALJ granted OCR’s motion for summary judgment, finding that the evidence established that Lincare had violated HIPAA, and upheld the CMP of $239,800.
Theft is No Defense to Improper Disclosures: In its defense, Lincare claimed that it was not responsible for the improper disclosure because it was the victim of a theft. Specifically, Lincare claimed that Mr. Shaw “stole” the PHI from his wife and “attempted to use it as leverage to induce his estranged wife to return to him.” The ALJ rejected this argument, concluding that Lincare was obligated to take “reasonable steps to protect its PHI from theft.” The ALJ explained that Lincare violated this obligation when Ms. Shaw took documents out of the office and left them in in her car or home, allowing her husband to access them; and then completely abandoned them.
Consider Settling with OCR to Avoid a CMP: The OCR’s imposition of a CMP, and the ALJ’s decision to affirm this penalty, represents only the second time a CMP has been imposed for a violation of the HIPAA Privacy Rule, and the first one in which an ALJ ruled on the merits. Typically, OCR attempts to resolve HIPAA violations informally, but could not reach such a resolution with Lincare in this case. Had a resolution been reached, the OCR would likely not have sought and secured such a substantial CMP based on “aggravating factors,” with the resultant fine likely to have been significantly lower.
Consider Encryption or other Means for Accessing PHI Remotely: Employees of home care agencies often need to access PHI in the field when providing services. However, the provider should consider restricting access only through electronic devices, with appropriate encryption and user authentication, to prevent unauthorized users from accessing these records.
Update Policies and Procedures: Policies and procedures should detail for employees when patient records can be removed from the office and taken into the field, and under what circumstances; and identify how such records containing PHI should be safeguarded from disclosure.
Implement a System to Track Removed PHI: Similarly, a system should be implemented to record and track the removal of records containing PHI so as to allow the health care provider to account for and maintain oversight over removed documents.
Regularly Train Employees: Having detailed policies and procedures is not enough; all employees should be regularly trained on the HIPAA Privacy and Security Rules, and the agency’s corresponding HIPAA policies and practices. To reinforce training, to the extent any PHI is removed from the premises, employees should be continually reminded not to allow unauthorized persons—including a spouse or other family or friends—to access the records.