Recent enforcement actions by the U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) have highlighted that, not surprisingly, Covered Entities should not leave medical records in a physician’s driveway and should not dispose of protected health information (“PHI”) in a dumpster. From an action against a home health care provider announced yesterday, we can now add to that list the fact that PHI should not be stored under an employee’s bed or in a kitchen drawer.
OCR attempted to reach a voluntary resolution of the violations with Lincare, but was unsuccessful. In January 2014, the agency issued a notice of proposed determination of CMP in the amount of $239,800. The penalties related to failure to safeguard PHI, impermissible disclosure of PHI, and failure to implement policies and procedures reasonably designed to ensure compliance with the Privacy Rule. Lincare appealed the determination to the ALJ. On January 13, 2016, the ALJ granted OCR’s motion for summary judgment and sustained the CMP. The Lincare action is only the second time that OCR has sought CMP for violations of HIPAA. The first was a $4.3 million fine against Cignet Health in 2011.
In 2016, while privacy officers and IT specialists lie awake at night worried about moving healthcare data to the cloud or the threat of cyberattacks on PHI, it’s easy to forget that protecting PHI can be a low-tech endeavor as well. The Lincare action highlights the importance of having robust policies and procedures to protect PHI, particularly for providers whose employees perform services offsite and must transport PHI as part of their job functions.