“Under HIPAA, Respondent was obligated to take reasonable steps to protect its PHI from theft.”

On January 13, 2016, an Administrative Law Judge (“ALJ”) ruled that Lincare, Inc. (“Lincare”), a home health company, violated the HIPAA Privacy Rule. Lincare was ordered to pay $239,800 in civil money penalties (“CMPs”) imposed by Office for Civil Rights (“OCR”). This is only the second time that OCR has sought CMPs for HIPAA violations and each time the CMPs were upheld upon judicial review.

OCR began investigating Lincare after receiving a complaint regarding improper storage of patient medical records. Per Lincare’s standard practice, its employees brought patient-specific medical records from Lincare’s offices to patients’ homes, as Lincare supplies respiratory care, infusion therapy and medical equipment to their patients’.

During the OCR investigation, it was discovered that Lincare had inadequate policies and procedures in place to safeguard protected health information (“PHI”) that was taken offsite. OCR also found evidence indicating that Lincare “had an unwritten policy requiring certain employees to store PHI in their own vehicles for extended periods of time.” Additionally, OCR learned that Lincare took only minimal corrective actions to safeguard PHI and ensure compliance with HIPAA rules.

In January 2014, OCR started formal penalty proceeding against Lincare following unsuccessful attempts to resolve the issue through voluntary resolution agreements, e.g., monetary settlements and corrective action plans.

Earlier this year, the ALJ ruled in favor of OCR. The ALJ found that Lincare failed to safeguard PHI and this failure resulted in PHI being disclosed to an unauthorized person. Additionally, the ALJ also found that Lincare failed to establish adequate policies and procedures to protect PHI, including not having policies to address how PHI should be secured offsite, procedures for tracking documents removed from the office and ensuring documents are returned.

Such cases highlight the importance of having thorough and comprehensive written policies and procedures to safeguard PHI. In order to ensure your organization is in compliance with the ALJ ruling and HIPAA, we recommend the following:

• Ensure policies and procedures address instances where PHI is taken off-site/outside your organization’s “firewall.”
• Review off-site policies and procedures to ensure that they comport with the ALJ ruling and HIPAA, i.e., how to secure PHI offsite, procedure for tracking PHI/documents removed, and ensuring documents are returned.
• Re-train and re-enforce PHI policies across your organization.
• Consult with General Council and Human Resources regarding employee consequences for violating policies and procedures.