- Lincare, Inc., will need to pay $239,800 in fines for a HIPAA violation, according to a notice from the Office for Civil Rights.
This decision comes from an Administrative Law Judge (ALJ) at the Department of Health and Human Services following an OCR complaint that Lincare, a home health provider, had been responsible for the PHI disclosure of 278 patients.
OCR alleged that Lincare’s general manager, Faith Shaw, had left behind the medical files containing the PHI after she left her husband and moved out of her residence in 2008. Shaw’s husband, at the time, notified OCR that he had been left in possession of the files even though he was not authorized to view them.
In response, OCR notified Lincare that it was conducting an investigation into these allegations and found that Shaw had not taken appropriate measures under the HIPAA Privacy Rule to adequately safeguard the PHI.
In a 2014 letter to Lincare, OCR explained its findings as such:
The Center Manager, a workforce member and agent of Lincare, knew or, by exercising reasonable diligence, would have known that the manner in which she kept and maintained the PHI (left continuously, including overnight, in either a vehicle to which she knew the Complainant had access and/or in the home she shared with the Complainant) was not an appropriate way to reasonably safeguard such PHI as required by the Privacy Rule.
OCR also found that Lincare has specific regulations that allowed employees like Shaw to keep patient records containing PHI in their own residences and vehicles, thus in violation of the HIPAA Privacy Rule.
Lincare also reportedly displayed noncompliance with OCR after the agency notified Lincare of its findings and the violations the healthcare organization had committed. When Lincare did make attempts to informally mitigate the issue, it reportedly did not provide adequate evidence to alleviate itself of the civil monetary penalties of $239,800.
According to a prepared OCR statement, the agency prefers to settle HIPAA violations through informal mitigation. However, because Lincare was noncompliant in OCR’s attempts to do so, the agency pursued its civil monetary penalties.
“While OCR prefers to resolve issues through voluntary compliance, this case shows that we will take the steps necessary, including litigation, to obtain adequate remedies for violations of the HIPAA Rules,” said OCR Director Jocelyn Samuels. “The decision in this case validates the findings of our investigation. Under the ALJ’s ruling, all covered entities, including home health providers, must ensure that, if their workforce members take protected health information offsite, they have adequate policies and procedures that provide for the reasonable and appropriate safeguarding of that PHI, whether in paper or electronic form.”
Lincare provided its defense stating that the data had been stolen by Shaw, and that the HIPAA violation had not been the fault of the healthcare organization as a whole. However, according to OCR’s investigation, the healthcare provider had many unwritten, cultural policies that allowed employees to take home PHI.
Following OCR’s investigation, Lincare reportedly took few steps to change those policies to be more HIPAA compliant.
“Further evidence indicated that the organization had an unwritten policy requiring certain employees to store protected health information in their own vehicles for extended periods of time,” OCR said in a statement on its website. “Although aware of the complaint and OCR’s investigation, Lincare subsequently took only minimal action to correct its policies and strengthen safeguards to ensure compliance with the HIPAA Rules.”