For only the second time in its history (following the $4.3 million Cignet case) the U.S. Department of Health and Human Services (HHS) Office of Civil Rights (OCR) imposed civil money penalties (CMPs) on a company for violating the Health Insurance Portability and Accountability (HIPAA) Privacy Rule.
Lincare, Inc. (Lincare), a home health provider, was required to pay $239,800 in CMPs after an HHS Administrative Law Judge (ALJ) found that the undisputed evidence in the case established that Lincare violated HIPAA because it did not implement policies and procedures to safeguard records containing its patients’ protected health information (PHI).
The OCR investigation began when an individual complained to OCR that a Lincare employee left behind documents containing the PHI of 278 patients when the employee moved residences. According to the ALJ, Lincare had inadequate policies and procedures in place to safeguard PHI taken offsite even though employees regularly removed material from the business premises. Further evidence suggested that Lincare had an unwritten policy requiring certain employees to store PHI in their own vehicles for extended periods of time.
Although Lincare claimed that the records were left behind only because the person who complained to OCR had stolen them, the ALJ rejected this argument. Even if true, the ALJ reasoned, HIPAA also requires companies to take reasonable steps to protect PHI from theft.
Although the incident affected only a small number of individuals, the ALJ’s decision and the Notice of Proposed Determination provide insight into why OCR proceeded with the unusual step of seeking a CMP. First, OCR and Lincare were unable to resolve the claims by informal means. Second, according to OCR and the ALJ, Lincare employees exhibited willful neglect with regard to safeguarding PHI, and the company took only “minimal action” to correct its policies and strengthen its practices to ensure HIPAA compliance even when Lincare was aware of the complaint and OCR investigation.
This case serves as a reminder that OCR can and will proceed with formal enforcement action both when the facts indicate serious wrongdoing and when OCR’s preferred method of informal resolution fails.