On February 3, 2016, the U.S. Department of Health and Human Services Office for Civil Rights (“OCR”) announced that an Administrative Law Judge (“ALJ”) ruled that Lincare, Inc. (“Lincare”) violated the HIPAA Privacy Rule and ordered the company to pay $239,800 to OCR.

Lincare, a health care provider, was investigated by OCR in 2009 after the ex-spouse of a Lincare employee discovered records in their home that contained the protected health information (“PHI”) of several hundred Lincare patients. OCR’s investigation revealed that the Lincare employee had improperly removed the PHI from Lincare’s facility and stored it in her vehicle as well as in her home. Lincare had failed to record or track the movements of the PHI and its privacy policy lacked any discussion of “safeguarding PHI that is taken off the premises of an operating center by an employee.” Additionally, the investigation found that Lincare regularly permitted employees to store PHI in their vehicles because many of their employees provided home health care services to patients. Finally, Lincare failed to take any corrective action once it learned of the incident that resulted in the complaint.

Taking into account all of these factors, OCR asserted in a Notice of Proposed Determination that Lincare committed three HIPAA Privacy Rule violations by (1) impermissibly disclosing PHI, (2) failing to reasonably safeguard PHI, and (3) neglecting to implement policies and procedures to comply with the HIPAA Privacy Rule’s requirements. Lincare appealed the Notice of Proposed Determination to the ALJ, claiming that it was not responsible for HIPAA violations because the complainant had stolen the PHI from the Lincare employee. The ALJ disagreed with Lincare’s assertion, noting in its decision that Lincare did not “provid[e] evidence to support its accusations” and that “the undisputed evidence establishes that Lincare violated HIPAA because it failed to safeguard the PHI of its patients.”

In announcing the ALJ’s decision, OCR Director Jocelyn Samuels noted that the office will “take the steps necessary, including litigation, to obtain adequate remedies for violations of the HIPAA Rules.” The ALJ’s decision is the second time in history that has sought a civil monetary penalty for HIPAA Privacy Rule violations – the first instance was a $4.3 million penalty against Cignet Health in 2011.