For only the second time in its history (following the $4.3 million Cignet case) the U.S. Department of Health and Human Services (HHS) Office of Civil Rights (OCR) imposed civil money penalties (CMPs) on a company for violating the Health Insurance Portability and Accountability (HIPAA) Privacy Rule.
Lincare, Inc. (Lincare), a home health provider, was required to pay $239,800 in CMPs after an HHS Administrative Law Judge (ALJ) found that the undisputed evidence in the case established that Lincare violated HIPAA because it did not implement policies and procedures to safeguard records containing its patients’ protected health information (PHI).
The OCR investigation began when an individual complained to OCR that a Lincare employee left behind documents containing the PHI of 278 patients when the employee moved residences. According to the ALJ, Lincare had inadequate policies and procedures in place to safeguard PHI taken offsite even though employees regularly removed material from the business premises. Further evidence suggested that Lincare had an unwritten policy requiring certain employees to store PHI in their own vehicles for extended periods of time.