OCR has ordered a HIPAA-covered entity to pay civil monetary penalties for HIPAA breaches.
Lincare Inc. must to pay $239,800 for violations of the HIPAA Privacy Rule which were found during the investigation of a complaint about a breach of 278 patient records.
The Privacy Rule breach – 45 C.F.R. § 164.530(i) – was recently confirmed by a U.S. Department of Health and Human Services Administrative Law Judge and the motion for summary judgement was given and the decision to issue civil monetary penalties was carried.
HIPAA Privacy Rule Violation Identified by OCR
Lincare Inc., doing business as United Medical, runs more than 850 medical centers throughout the United States, providing respiratory care and medical equipment to patients at the centers, and via medical services delivered in their patients’ homes.
A complaint was submitted with OCR about an Lincare employee who left documents containing the PHI of 278 patients at one of the places where medical services were provided.
The investigation by OCR discovered that PHI had been taken from Lincare facilities, exposed to an individual unauthorized to view PHI, and that the Lincare staff member had abandoned the documents. Further, the investigation found a number of HIPAA violations.
Employees were routinely taking PHI from Lincare premises, yet insufficient safeguards had been put in place to keep those data secure. While not a written policy, some staff members were known to keep PHI of patients in their vehicles for “extended periods of time,” and this appeared to be condoned by Lincare.
OCR pointed out that even after finding the data breach and seeing that OCR was investigating the incident, relatively little was done to rectify the security vulnerabilities and implement stricter controls to prevent the exposure of PHI.
During to the investigation, Lincare maintained that HIPAA Rules had not been violated as the documents containing patient PHI had been “stolen” by the individual who subsequently reported the HIPAA violation to OCR. The Administrative Law Judge said no evidence could be given by Lincare that this was, in fact, the case. Lincare argued that the person making the complaint had stolen the data in an attempt to “use it as leverage to induce his estranged wife to return to him.”
As per the ALJ’s Opinion, Lincare Manager Faith Shaw removed patients PHI from her office, left it in locations where her husband had access, and then abandoned it. The judge said that no one at Lincare, including Center Manager Shaw, knew the information was missing until many months later. That was not deemed to be an sufficient attempt to “reasonably safeguard” patient PHI.
The judge also referred to the fact that when asked about whether Lincare would be revising policies to ensure PHI was better protected, the company’s corporate compliance officer said Lincare “had considered putting a policy together that said thou shalt not let anybody steal your protected health information.”
In most cases, OCR reaches a voluntary agreement with covered entities and a settlement is agreed to resolve potential HIPAA violations. While it is rare for a CMP to be applied, this fine demonstrates that OCR will chase actions through the courts and will hold HIPAA-covered bodies financially liable for violating HIPAA Privacy, Security, and Breach Notification Rules. An agreement on a voluntary settlement does not need to be reached.