A home health care company has been ordered to pay civil penalties of $239,000 for violating the Health Insurance Portability and Accountability Act of 1996 (HIPAA). 

Lincare, Inc. supplies respiratory care, infusion therapy, and medical equipment to patients in their homes. In order to perform their jobs, Lincare employees must bring patient-specific medical records from the company offices to the patients' homes. Under HIPAA, these medical records are known as "protected health information" or "PHI."

One of Lincare's managers, Faith Shaw, removed medical records from a Lincare operating center. Over a nine-month period, she kept the documents in the home she shared with her then-husband, Richard Shaw, and in their car. When the couple separated and Ms. Shaw moved out of the home, she left the records behind. Several months later, Mr. Shaw discovered the records under a bed and in a kitchen drawer. He delivered the records to and filed a complaint with the Office for Civil Rights (OCR), which enforces HIPAA. OCR opened an investigation into Lincare's HIPAA compliance. 

Although OCR prefers to resolve compliance investigations through voluntary resolution agreements (which include monetary settlements and corrective action plans), negotiations between OCR and Lincare proved unsuccessful. In January 2014, OCR commenced formal penalty proceedings against Lincare. 

In January 2016, an Administrative Law Judge ruled in favor of OCR and against Lincare. The Administrative Law Judge held that Lincare had failed to safeguard PHI, and that its failure had resulted in PHI being disclosed to an unauthorized person (Mr. Shaw). The Administrative Law Judge also held that Lincare had failed to establish adequate policies and procedures to protect PHI. Lincare did have some written HIPAA policies; however, the policies did not address how offsite PHI should be secured, did not create procedures for tracking documents removed from the office, and did not ensure the return of the documents. The Administrative Law Judge upheld OCR's proposed penalty of $239,800. 

This decision is instructive for several reasons: 

  • Formal Proceedings. This is only the second time that OCR has initiated formal penalty proceedings for a HIPAA violation. (The other enforcement actions have been resolved or settled by agreement.) The penalty amount in this matter ($239,800) is much lower than the penalty in the previous matter ($4,300,000). This indicates to us that OCR is willing to litigate even so-called low-value violations.
  • Paper Records. In recent years, healthcare organizations have been working hard on the security of electronic PHI. This enforcement action reminds us that paper records still present significant risks. Covered entities and business associates should revisit their HIPAA policies and procedures with particular attention to these risks. For those with workforce members who regularly remove records containing PHI from the office, closer attention should be paid to tracking the movement of paper records out of and back into the office and establishing protocols for safeguarding such records while out of the office.

OCR's Notice of Proposed Determination is available here. The Administrative Law Judge's ruling is available here. The HHS press release regarding the decision is available here.