HIPAA Violation Costs Lincare $239,800

by | Feb 4, 2016

OCR has ordered a HIPAA-covered entity to pay civil monetary penalties for HIPAA breaches.

Lincare Inc. must to pay $239,800 for violations of the HIPAA Privacy Rule which were found during the investigation of a complaint about a breach of 278 patient records.

The Privacy Rule breach – 45 C.F.R. § 164.530(i) – was recently confirmed by a U.S. Department of Health and Human Services Administrative Law Judge and the motion for summary judgement was given and the decision to issue civil monetary penalties was carried.

HIPAA Privacy Rule Violation Identified by OCR

Lincare Inc., doing business as United Medical, runs more than 850 medical centers throughout the United States, providing respiratory care and medical equipment to patients at the centers, and via medical services delivered in their patients’ homes.

A complaint was submitted with OCR about an Lincare employee who left documents containing the PHI of 278 patients at one of the places where medical services were provided.

The investigation by OCR discovered that PHI had been taken from Lincare facilities, exposed to an individual unauthorized to view PHI, and that the Lincare staff member had abandoned the documents. Further, the investigation found a number of HIPAA violations.

Employees were routinely taking PHI from Lincare premises, yet insufficient safeguards had been put in place to keep those data secure. While not a written policy, some staff members were known to keep PHI of patients in their vehicles for “extended periods of time,” and this appeared to be condoned by Lincare.

OCR pointed out that even after finding the data breach and seeing that OCR was investigating the incident, relatively little was done to rectify the security vulnerabilities and implement stricter controls to prevent the exposure of PHI.

During to the investigation, Lincare maintained that HIPAA Rules had not been violated as the documents containing patient PHI had been “stolen” by the individual who subsequently reported the HIPAA violation to OCR. The Administrative Law Judge said no evidence could be given by Lincare that this was, in fact, the case. Lincare argued that the person making the complaint had stolen the data in an attempt to “use it as leverage to induce his estranged wife to return to him.”

As per the ALJ’s Opinion, Lincare Manager Faith Shaw removed patients PHI from her office, left it in locations where her husband had access, and then abandoned it. The judge said that no one at Lincare, including Center Manager Shaw, knew the information was missing until many months later. That was not deemed to be an sufficient attempt to “reasonably safeguard” patient PHI.

The judge also referred to the fact that when asked about whether Lincare would be revising policies to ensure PHI was better protected, the company’s corporate compliance officer said Lincare “had considered putting a policy together that said thou shalt not let anybody steal your protected health information.”

In most cases, OCR reaches a voluntary agreement with covered entities and a settlement is agreed to resolve potential HIPAA violations. While it is rare for a CMP to be applied, this fine demonstrates that OCR will chase actions through the courts and will hold HIPAA-covered bodies financially liable for violating HIPAA Privacy, Security, and Breach Notification Rules. An agreement on a voluntary settlement does not need to be reached.


Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy