Home respiratory care, infusion therapy, and medical equipment provider Lincare, Inc. (Lincare) must pay the $239,000 second-ever civil monetary penalty (CMP) imposed under the Health Insurance Portability & Accountability Act (HIPAA) Privacy Rules by the Department of Health & Human Services (HHS) Office of Civil Rights (OCR) for HIPAA violations OCR found Lincare committed under the January 13, 2015 summary judgment ruling of HHS Administrative Law Judge Carolyn Cozad Hughes (ALJ). The ALJ’s ruling in Director of the Office for Civil Rights, Petitioner, v. Lincare, Inc rejecting Lincare’s appeal of only the second ever CMP OCR ever assessed against a health care provider, health plan, heathcare clearinghouse (“covered entity”) for violating HIPAA, the Lincare case contains many important lessons for home health care and other covered entities and their business associates about their HIPAA responsibilities both to act properly to protect PHI used or accessed by members of their workforce outside the covered entities’ offices as well as to ensure that workforce members know that their duty to protect PHI against improper disclosure extends to preventing disclosure to their spouses and other family or friends with potential access to systems or records containing PHI.
Lincare Facts & Decision
The Lincare CMP resulted from HIPAA violations that OCR found when it investigated a HIPAA complaint filed by the estranged spouse of Lincare’s Wynne, Arkansas Center Manager, Faith Shaw. Ms. Shaw’s estranged husband, Richard reported to Lincare and OCR that Ms. Shaw left behind documents containing the protected health information (PHI) of 278 patients a when Ms. Shaw moved out of the marital home in August 2008. During OCR’s investigation, Ms. Shaw and her manager both told OCR she and other Lincare employees regularly were required to and regularly removed records containing PHI from Lincare’s offices to use to provide home health care services. In fact, Ms. Shall and her manager told OCR that Lincare told center managers like Ms. Shaw to maintain copies of the procedures manual “secured” in their vehicles so that company employees would have access to patient contact information if a center office were destroyed or otherwise made inaccessible. Ms. Shaw said she followed these practices when she the manual and other documents containing PHI out of the office and admitting to keeping documents containing PHI in her car during her marriage even though she knew that her then husband had keys to the car. Ms. Shaw also admitted that when she moved out of the marital home in August 2008, she left the documents behind without realizing it. In fact, she told the OCR investigator that, when she left, she didn’t even know where the car was parked and that neither Ms. Shaw nor anyone else from Lincare realized that Ms. Shaw had left the documents behind until notified by her estranged spouse, Richard Shaw – who all parties agreed was not authorized to see the PHI – reported to Lincare and then to OCR that he had them in his possession.
Based on these and other findings, OCR concluded that Lincare violated HIPAA by among other things, having inadequate policies and procedures in place to safeguard patient information taken offsite when it knew employees regularly removed material with PHI from the business premises to deliver home healthcare services. OCR also found that Lincare had an unwritten policy requiring certain employees to store PHI in their own vehicles for extended periods of time without making adequate provision for the security and protection. OCR concluded that these and other actions violated HIPAA and that Lincare’s failure to take prompt corrective action satisfactory to OCR warranted the assessment of the $239,000 CMP.
Lincare disagreed and appealed to the ALJ to have the CMP overturned based on HIPAA § 1176(a)(1, which provides OCR may not impose a CMP if the covered entity shows:
- The covered entity did not know about the violation and, by exercising reasonable diligence, would not have known about the violation; or
- Each of the following:
- Despite the exercise of ordinary business care and prudence, circumstances made it unreasonable for the covered entity to comply with the violated provision;
- The violation was not caused by “willful neglect”; and
- The covered entity corrected the deficiency within 30 days of the date the covered entity knew or should have known about it.
See 45 C.F.R. § 160.410(b).
Lincare argued that it was excused from liability for payment of a CMP because it was the victim of a theft, for which it should not be held accountable. Specifically, Lincare claimed that complainant Richard Shaw “stole” the manual and attempted to use it as leverage to induce his estranged wife to return to him.
In her order upholding OCR’s imposition of the CMP upon summary judgement, the ALJ rejected this argument. Characterizing Lincare’s “defense” as unsupported by any evidence and “just as damaging -perhaps even more damaging -than the OCR version of events,” the ALJ found the undisputed evidence established that Manager Shaw, a Lincare workforce member, removed her patients’ PHI from the company office, left it in places to which her husband, an unauthorized person, had access, and then abandoned it altogether so neither she nor anyone else at Lincare even knew that the information was missing until months later. Accordingly, the ALJ granted OCR’s motion for summary judgment and upheld OCR’s assessment of the $239,800 CMP.
Lessons For Other Covered Entities & Business Associates
Other covered entities and business associates should learn several key lessons from the Lincare decision including:
- HIPAA requires covered entities and their business associates to take reasonable steps to protect its PHI from theft;
- Covered entities and business associates that allow employee or other workforce members have a duty to establish and enforce apprvacopriate safeguards to protect these records from theft or other improper use or access.
- The duty to maintain the privacy of HIP includes a duty to take proper steps to protect PHI from improper disclosure includes a duty to prevent is disclosure to or use by he spouse or other family member of the workforce member.
All covered entities and their business associates should verify the adequacy of their compliance with these new rules.