On January 13, 2016, the Department of Health and Human Services’ Administrative Law Judge upheld the Office for Civil Rights’ (OCR’s) civil monetary penalty (CMP) against Lincare, Inc., d/b/a United Medical (Lincare), for $239,800 in an appeal of OCR’s Health Insurance Portability and Accountability Act (HIPAA) CMPs. Lincare is a home health company that provides respiratory care and equipment for over 1,000 medical centers to patients at their homes.

In December 2008, a Lincare employee’s estranged husband reported that the employee abandoned patient information in their home. OCR investigated the incident and found that 278 patients’ information was abandoned by the employee and that Lincare lacked adequate safeguards for the protected health information (PHI). According to the ex-husband, the employee regularly stored PHI in her home and car. According to OCR, Lincare’s policies did not have instructions prohibiting such storage or guiding employees on protecting PHI off-site, and Lincare did not track the transport and storage of its PHI off-site.

In January 2014, after unsuccessful attempts to reach a voluntary agreement with Lincare, OCR assessed CMPs for Lincare’s failure to safeguard PHI, impermissible disclosure of PHI, and failure to implement policies and procedures to ensure compliance with the HIPAA Privacy Rule. Lincare appealed OCR’s findings, but OCR filed a motion for summary judgment before ALJ. Lincare did not contest the amount of the CMP in its response. Lincare can still appeal the ALJ’s judgment.

This is only the second time that HIPAA CMPs have been assessed. Five years ago, Cignet received a CMP of $4.3 million for denying patients access to their own medical records and failing to cooperate with the government’s investigation.

OCR generally tries to settle HIPAA violations by entering into resolution agreements with the covered entities. However, as demonstrated here, OCR will move forward with CMPs if the parties do not reach resolution.