For only the second time in its history, OCR has ordered a HIPAA-covered entity to pay civil monetary penalties for HIPAA violations. Lincare Inc., is required to pay $239,800 for violations of the HIPAA Privacy Rule which were discovered during the investigation of a complaint about a breach of 278 patient records.
The Privacy Rule violation – 45 C.F.R. § 164.530(i) – was recently confirmed by a U.S. Department of Health and Human Services Administrative Law Judge and the motion for summary judgement was granted and the decision to issue civil monetary penalties was sustained.
HIPAA Privacy Rule Violation Uncovered by OCR
Lincare Inc., doing business as United Medical, operates more than 850 medical centers throughout the United States, providing respiratory care and medical equipment to patients at its facilities, and via medical services delivered in-home.
A complaint was filed with OCR about a Lincare employee who left documents containing the PHI of 278 patients at one of the locations where medical services were provided.
The investigation by OCR confirmed that PHI had been removed from Lincare facilities, exposed to an individual unauthorized to view PHI, and that the Lincare employee had abandoned the documents. Further, the investigation revealed a number of HIPAA violations.
Employees were routinely removing PHI from Lincare premises, yet insufficient safeguards had been put in place to keep those data secure. While not a written policy, some employees were known to keep PHI of patients in their vehicles for “extended periods of time,” and this appeared to be condoned by Lincare.
OCR pointed out that even after discovering the data breach and finding out that OCR was investigating the incident, relatively little was done to address the security vulnerabilities and implement more stringent controls to prevent the exposure of PHI.
According to the case, Lincare maintained that HIPAA Rules had not been violated as the documents containing patient PHI had been “stolen” by the person who subsequently reported the HIPAA violation to OCR. The Administrative Law Judge said no evidence could be provided by Lincare that this was the case. Lincare argued that the complainant had stolen the data in an attempt to “use it as leverage to induce his estranged wife to return to him.”
According to the ALJ’s Opinion, Lincare Manager Faith Shaw removed patients PHI from her office, left it in locations where her husband had access, and then abandoned those data. The judge said that no one at Lincare, including Center Manager Shaw, knew the information was missing until months later. That was not deemed to be an adequate attempt to “reasonably safeguard” patient PHI.
The judge also pointed out that when asked about whether Lincare would be revising policies to ensure PHI was better protected, the company’s corporate compliance officer said Lincare “had considered putting a policy together that said thou shalt not let anybody steal your protected health information.”
In the majority of cases, OCR reaches a voluntary agreement with covered entities and a settlement is reached to resolve potential HIPAA violations. While it is rare for a CMP to be issued, this fine demonstrates that OCR will pursue actions through the courts and will hold HIPAA-covered entities financially liable for violating HIPAA Privacy, Security, and Breach Notification Rules. An agreement on a voluntary agreement does not need to be reached.
Second Sub-500-Record Fine Issued by OCR for HIPAA Violations
This is not the first time OCR has fined a covered entity for HIPAA violations discovered after a breach of fewer than 500 healthcare records. In early 2013, The Hospice of North Idaho (HONI) agreed to a fine of $50,000 for a data breach caused by the theft of a laptop computer containing the records of 441-patient health records.
The fines show that it is not the size of the breach that is the issue, but the severity of the HIPAA violations that led to the exposure of protected health information.