Health Law Daily OCR penalizes HHA for HIPAA violations: judgment upheld
News
Thursday, February 4, 2016

OCR penalizes HHA for HIPAA violations: judgment upheld

By Kayla R. Bryant, J.D.

Civil money penalties (CMP) of $239,800 were upheld against a home health company after an employee abandoned the protected health information (PHI) for over 278 patients. An administrative law judge (ALJ) for the Departmental Appeals Board (DAB) found that Lincare, Inc., which provides various services and equipment to patients in their homes, failed to implement policies to safeguard PHI in violation of the Health Insurance Portability and Accountability Act (HIPAA) (P.L. 104-191). CMS notes that this is only the second time in history that the agency’s Office for Civil Rights (OCR) has sought and obtained CMPs for a HIPAA violation (Office for Civil Rights v. Lincare, Inc., Docket No. C-14-1056, Decision No. CR 4505, January 13, 2016).

Breach. A Lincare manager brought home documents containing PHI, a common enough practice in the company. Lincare employees needed access to PHI away from the company’s offices while providing services. The company instructed managers to maintain copies of information in their vehicles as a backup for employees in the event that a center office was not accessible. However, after marital difficulties, she left the home and the PHI, ostensibly located in her vehicle. She told OCR that when she left the home she did not know where the car was located. No one at Lincare was aware that the information was missing until her husband reported to OCR that he was in possession of this information. OCR proposed imposing the CMPs on January 28, 2014.

Policies. Entities subject to HIPAA are required to reasonably safeguard PHI. Lincare argued as a defense that it should not be held responsible for the theft of the information in this instance. The ALJ noted that this defense does not absolve Lincare from wrongdoing, as it was required to try to prevent the theft. Additionally, Lincare did not revise its policies regarding PHI removed from the office in an attempt to prevent a recurrence. There were no policies in place monitoring documents removed from the office. The ALJ granted OCR’s motion for summary judgment.

“While OCR prefers to resolve issues through voluntary compliance, this case shows that we will take the steps necessary, including litigation, to obtain adequate remedies for violations of the HIPAA Rules,” said OCR Director Jocelyn Samuels, noted in a CMS press release. “The decision in this case validates the findings of our investigation. Under the ALJ’s ruling, all covered entities, including home health providers, must ensure that, if their workforce members take protected health information offsite, they have adequate policies and procedures that provide for the reasonable and appropriate safeguarding of that PHI, whether in paper or electronic form.”

Companies: Lincare, Inc., d/b/a United Medical

MainStory: TopStory DABDecisions CMSNews CMPNews ConfidentialityNews HIPAANews HomeNews ProgramIntegrityNews

Back to Top

Interested in submitting an article?

Submit your information to us today!

Learn More