On February 3 2016 the Department of Health and Human Services Office for Civil Rights (OCR) announced that an administrative law judge had ordered Lincare Inc – a home health provider of respiratory care, infusion therapy and medical equipment – to pay $239,800 in civil monetary penalties for violating the Health Insurance Portability and Accountability Act of 1996 Privacy Rule. The violations were:
- disclosing patient information to an unauthorised person;
- failing to take reasonable safeguards to protect patient information from unauthorised disclosure; and
- failing to implement adequate policies and procedures to protect patient information that had been removed from its offices.
This marks only the second time that the OCR has imposed civil monetary penalties for Health Insurance Portability and Accountability Act violations.
The OCR began investigating Lincare after a Lincare employee's husband complained that his wife had left behind documents containing the protected health information of 278 patients when she moved out of their home in November 2008. The administrative law judge found that the evidence established that the employee removed patients' information from the company's office, left it exposed in places accessible to an unauthorised person and then abandoned it.
The breached documents included:
- an emergency procedures manual containing names, addresses, telephone numbers and emergency contacts for 270 patients; and
- patient-specific documents (eg, assessments, care plans, prescriptions, certificates of necessities and order confirmations) that included names, addresses, phone numbers, birth dates, diagnoses, symptoms, test results, prescriptions and physician and pharmacy names for eight patients.
During the course of its investigation, the OCR found that Lincare employees who provided healthcare services in patients' homes regularly removed materials containing protected health information from the business premises. Lincare also had an unwritten policy requiring certain employees to store protected health information in their own vehicles for extended periods of time.
Despite being aware of the complaint and the OCR's investigation, Lincare allegedly did not take sufficient actions to correct its policies and strengthen its safeguards for protected health information taken offsite. While Lincare revised its policies in 2009, it failed to specify how employees should remove documents containing protected health information from secured storage areas, which the administrative law judge said left the policies "virtually unchanged". This led the administrative law judge to find that "Lincare management did not seem to recognize any problem and did not seriously consider amending its policies to safeguard protected health information removed from the office".
OCR Director Jocelyn Samuels explained:
"While OCR prefers to resolve issues through voluntary compliance, this case shows that [the OCR] will take the steps necessary, including litigation, to obtain adequate remedies for violations of the [Health Insurance Portability and Accountability Act] Rules".
Samuels further warned:
"Under the [administrative law judge's] ruling, all covered entities, including home health providers, must ensure that if their workforce members take [protected health information] offsite, they have adequate policies and procedures that provide for the reasonable and appropriate safeguarding of that [protected health information], whether in paper or electronic form".
For further information on this topic please contact Anna Spencer at Sidley Austin LLP's Washington office by telephone (+1 202 736 8000) or email (firstname.lastname@example.org). Alternatively, contact Rina Mady at Sidley Austin's Chicago office by telephone (+1 312 853 7000) or email (email@example.com). The Sidley Austin website can be accessed at www.sidley.com.
This article was first published by the International Law Office, a premium online legal update service for major companies and law firms worldwide. Register for a free subscription.