Recent enforcement actions by the U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) have highlighted that, not surprisingly, Covered Entities should not leave medical records in a physician’s driveway and should not dispose of protected health information (“PHI”) in a dumpster. From an action against a home health care provider announced yesterday, we can now add to that list the fact that PHI should not be stored under an employee’s bed or in a kitchen drawer.

Yesterday OCR announced a January 13, 2016 decision by an HHS Administrative Law Judge (“ALJ”) upholding the imposition of $239,800 in civil monetary penalties (“CMP”) against Lincare, Inc. (“Lincare”). Lincare is a home health care company that provides respiratory care, infusion therapy, and medical equipment from centers located throughout the United States. The enforcement action stems from a December 2008 complaint by the estranged husband of a Lincare employee. The husband reported to OCR that his wife, a center manager for a Lincare center in Arkansas, had moved out of the home they shared in August 2008. In November 2008, the husband found PHI of 278 Lincare patients in the home, specifically “under a bed and in a kitchen drawer.” Further investigation by OCR revealed that the employee continuously stored PHI in her car and in her home. The investigation also uncovered the fact that Lincare’s privacy policy did not include policies or instructions to employees for protecting PHI taken offsite or any type of logging systems for tracking PHI taken offsite.

OCR attempted to reach a voluntary resolution of the violations with Lincare, but was unsuccessful. In January 2014, the agency issued a notice of proposed determination of CMP in the amount of $239,800. The penalties related to failure to safeguard PHI, impermissible disclosure of PHI, and failure to implement policies and procedures reasonably designed to ensure compliance with the Privacy Rule. Lincare appealed the determination to the ALJ. On January 13, 2016, the ALJ granted OCR’s motion for summary judgment and sustained the CMP. The Lincare action is only the second time that OCR has sought CMP for violations of HIPAA. The first was a $4.3 million fine against Cignet Health in 2011.

In 2016, while privacy officers and IT specialists lie awake at night worried about moving healthcare data to the cloud or the threat of cyberattacks on PHI, it’s easy to forget that protecting PHI can be a low-tech endeavor as well. The Lincare action highlights the importance of having robust policies and procedures to protect PHI, particularly for providers whose employees perform services offsite and must transport PHI as part of their job functions.

A press release from OCR is available here, along with links to the notice of proposed determination from OCR and the ALJ’s opinion.