Doctor concerned with health care law

Breaking news and expert analysis on legal and compliance issues

[Back To Home][Back To Archives]

From Health Law Daily, February 4, 2016

OCR penalizes HHA for HIPAA violations: judgment upheld

By Kayla R. Bryant, J.D.

Civil money penalties (CMP) of $239,800 were upheld against a home health company after an employee abandoned the protected health information (PHI) for over 278 patients. An administrative law judge (ALJ) for the Departmental Appeals Board (DAB) found that Lincare, Inc., which provides various services and equipment to patients in their homes, failed to implement policies to safeguard PHI in violation of the Health Insurance Portability and Accountability Act (HIPAA) (P.L. 104-191). CMS notes that this is only the second time in history that the agency’s Office for Civil Rights (OCR) has sought and obtained CMPs for a HIPAA violation (Office for Civil Rights v. Lincare, Inc., Docket No. C-14-1056, Decision No. CR 4505, January 13, 2016).

Breach. A Lincare manager brought home documents containing PHI, a common enough practice in the company. Lincare employees needed access to PHI away from the company’s offices while providing services. The company instructed managers to maintain copies of information in their vehicles as a backup for employees in the event that a center office was not accessible. However, after marital difficulties, she left the home and the PHI, ostensibly located in her vehicle. She told OCR that when she left the home she did not know where the car was located. No one at Lincare was aware that the information was missing until her husband reported to OCR that he was in possession of this information. OCR proposed imposing the CMPs on January 28, 2014.

Policies. Entities subject to HIPAA are required to reasonably safeguard PHI. Lincare argued as a defense that it should not be held responsible for the theft of the information in this instance. The ALJ noted that this defense does not absolve Lincare from wrongdoing, as it was required to try to prevent the theft. Additionally, Lincare did not revise its policies regarding PHI removed from the office in an attempt to prevent a recurrence. There were no policies in place monitoring documents removed from the office. The ALJ granted OCR’s motion for summary judgment.

“While OCR prefers to resolve issues through voluntary compliance, this case shows that we will take the steps necessary, including litigation, to obtain adequate remedies for violations of the HIPAA Rules,” said OCR Director Jocelyn Samuels, noted in a CMS press release. “The decision in this case validates the findings of our investigation. Under the ALJ’s ruling, all covered entities, including home health providers, must ensure that, if their workforce members take protected health information offsite, they have adequate policies and procedures that provide for the reasonable and appropriate safeguarding of that PHI, whether in paper or electronic form.”

Companies: Lincare, Inc., d/b/a United Medical

MainStory: TopStory DABDecisions CMSNews CMPNews ConfidentialityNews HIPAANews HomeNews ProgramIntegrityNews

Back to Top

Health Law Daily

Introducing Wolters Kluwer Health Law Daily — a daily reporting service created by attorneys, for attorneys — providing same-day coverage of breaking news, court decisions, legislation, and regulatory activity.

A complete daily report of the news that affects your world

  • View full summaries of federal and state court decisions.
  • Access full text of legislative and regulatory developments.
  • Customize your daily email by topic and/or jurisdiction.
  • Search archives for stories of interest.

Not just news — the right news

  • Get expert analysis written by subject matter specialists—created by attorneys for attorneys.
  • Track law firms and organizations in the headlines with our new “Who’s in the News” feature.
  • Promote your firm with our new reprint policy.

24/7 access for a 24/7 world

  • Forward information with special copyright permissions, encouraging collaboration between counsel and colleagues.
  • Save time with mobile apps for your BlackBerry, iPhone, iPad, Android, or Kindle.
  • Access all links from any mobile device without being prompted for user name and password.