In a recent decision, a US Department of Health and Human Services (HHS) Administrative Law Judge (ALJ) agreed with the HHS Office of Civil Rights (OCR) that Lincare, Inc. d/b/a United Medical had violated HIPAA. The ALJ also sustained OCR’s imposition of a civil money penalty (CMP) of $239,800 on Lincare. As noted by OCR in its press release, this case represents only the second time in its history that OCR has sought CMPs for HIPAA violations, and on both occasions the CMPs have been upheld upon judicial review.

Lincare is a provider of respiratory care, infusion therapy, and medical equipment to in-home patients, with more than 850 branch locations in 48 states. The OCR investigation that eventually led to the imposition of the CMPs began when OCR received a complaint in December 2008 alleging that a Lincare employee working at the Lincare center in Wynne, Arkansas, had left the protected health information (PHI) of 278 Lincare patients in her former home when she moved residences. Based on its investigation, OCR determined that Lincare’s policies and procedures for safeguarding PHI in place from February 1, 2008, to at least July 29, 2009, did not provide adequate safeguards for patient information.

Specifically, OCR found that Lincare did not have any policies, procedures, or instructions for safeguarding PHI taken off the premises of an operating center by an employee. At the same time, Lincare’s policy was to permit employees to take PHI off the premises of the Wynne operating center on a daily, routine basis because their employees delivered health care services in the homes of patients. Moreover, the PHI removed from the premises was not tracked or recorded in any way. After OCR’s attempts to resolve Lincare’s failure to comply with the Privacy Rule by informal means were unsuccessful, OCR issued a notice of proposed determination in January 2014 imposing the CMP of $239,000, which was subsequently upheld by the ALJ.

OCR’s enforcement action in this case reinforces for providers the importance of safeguarding portable PHI, regardless of whether the PHI is maintained in paper or electronic form, and the need to revise their policies and procedures when they learn that existing policies and procedures have gaps or otherwise are not sufficient to prevent a breach from occurring. Health care providers, along with other covered entities and business associates, should carefully review their existing policies and procedures to ensure that they adequately safeguard PHI that can be removed from their premises. To the extent that this review identifies any potential gaps, providers promptly should take the necessary corrective action to eliminate these vulnerabilities.