An administrative law judge (ALJ) recently upheld a determination by the Office for Civil Rights (OCR) that Lincare, Inc. violated the HIPAA Privacy Rule when it failed to implement policies to safeguard protected health information (PHI) that its employees removed from Lincare’s premises in the course of performing their in-home care duties. The judgment requires Lincare to pay $239,800 in civil monetary penalties (CMPs). This is only the second time in history that the OCR has sought CMPs for HIPAA violations, and in both instances the ALJ has upheld the imposition of CMPs.

Lincare provides respiratory care, infusion therapy and medical equipment to patients in their homes and permits its employees to take PHI offsite for the purpose of providing these in-home services. OCR investigated a complaint that a Lincare employee left behind documents containing PHI of 278 patients after moving residences, and determined that Lincare did not have sufficient policies and procedures in place to protect PHI taken offsite, although employees regularly removed material from Lincare’s premises in the course of performing their job duties. While Lincare had implemented policies allowing employees to take PHI from its premises, these policies did not include appropriate administrative and physical safeguards to protect the PHI, nor did they include a mechanism to monitor which PHI had been removed and returned. Although Lincare was aware of the complaint and OCR’s investigation, Lincare took only minimal action to correct its policies and strengthen its safeguards to comply with the HIPAA rules.

In an opinion upholding OCR’s determination that Lincare’s omission of safeguards constituted willful neglect, the ALJ confirmed that Lincare violated the Privacy Rule by allowing employees to remove PHI from its premises without implementing policies designed to protect and monitor the removal and return of PHI. OCR Director Jocelyn Samuels stated that while OCR prefers to resolve issues through voluntary compliance, it will take steps to obtain adequate remedies for violations of the HIPAA rules, and that all covered entities whose employees take PHI offsite must have adequate policies and procedures that provide for the reasonable and appropriate safeguarding of that PHI, whether in paper or electronic form.

In light of this decision and the ALJ’s precedent of upholding CMPs for HIPAA violations, covered entities permitting employees to take PHI offsite should ensure that their policies and procedures contain adequate safeguards to protect the privacy and security of the PHI, and implement a mechanism for tracking the removal and return of PHI.

Read the ALJ’s full opinion on the Department of Health and Human Services’ website.