A U.S. Department of Health and Human Services (HHS) administrative law judge (ALJ) recently sustained an earlier HHS Office of Civil Rights (OCR)  decision to impose a civil money penalty (CMP) of $239,800 against Lincare Inc. (Lincare) in  connection with HIPAA violations discovered after a breach of patient records.  This is only the second time in history that OCR has sought a CMP for Health Insurance Portability and Accountability Act (HIPAA) violations.

Lincare operates more than 850 medical centers and provides respiratory care, infusion therapy, and medical equipment to patients both at its facilities and via medical services delivered in-home.   The initial investigation of Lincare occurred when an employee of the company left documents containing protected health information (PHI) in her home after moving out of the home she shared with her husband.  Her estranged husband later found those documents and reported the incident to OCR.

Further investigation by OCR confirmed that employees routinely removed documents containing PHI from the Lincare premises and left PHI exposed in various public locations.  OCR found that Lincare did not have sufficient policies and procedures to safeguard PHI removed from Lincare facilities when providing in-home care.  Additionally, OCR determined that until 2008 there was an unwritten policy that some employees were allowed to store PHI in their vehicles for extended periods of time without any sort of security protections.

OCR noted in their findings that even after Lincare was notified of the breach by OCR, little was done to address the privacy and security vulnerabilities that were exposed.  OCR found that Lincare did not informally mitigate the issue and failed to take OCR recommended steps to correct the security deficiencies.  As a result, OCR imposed the $239,800 CMP.

Lincare appealed the OCR decision on a  claim of “unreliable and inadmissible” evidence maintaining that HIPAA had not been violated as the documents were stolen by the employee’s husband, the person who subsequently reported the violation.   The ALJ ruled that even if the defense was to be believed, Lincare and its employees had an obligation to safeguard PHI and not leave them in a place accessible to “this purportedly untrustworthy and possibly unbalanced individual, and then, apparently without giving a thought to the security of those documents, abandoned them entirely.”

This case should serve as a warning that adequate remediation of HIPAA violations is critical to avoiding large penalties.  OCR Director Jocylyn Samuals notes that “[w]hile OCR prefers to resolve issues through voluntary compliance, this case shows that we will take the steps necessary, including litigation, to obtain adequate remedies for violations of the HIPAA Rules.”