For only the second time in its history, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has imposed civil monetary penalties (CMPs) on a health care provider for HIPAA violations.
Lincare, Inc. d/b/a United Medical (Lincare) was found to have violated HIPAA when the estranged husband of one of its managers complained to OCR that his wife improperly permitted him access to the records of 278 Lincare patients. After an OCR investigation and proposed determination, an HHS administrative law judge (ALJ) upheld the CMP of $239,800, finding that Lincare did not implement policies and procedures to safeguard records containing its patients’ PHI, and failed to protect against a disclosure of the PHI to unauthorized persons.
This post discusses where Lincare went wrong, and what providers can do to avoid a similar fate.
Lincare is a provider of respiratory care, infusion therapy, and medical equipment to in-home patients, with more than 850 branches located in 48 states. Because its employees provided in-home services, patient records containing PHI were frequently taken outside of the company’s offices. Lincare instructed its center managers to maintain a copy of an “Emergency Procedures Manual,” which contained PHI of Lincare patients, “secured” in their vehicles to serve as back-up documentation in the event a center office was destroyed or otherwise rendered inaccessible. In addition, employees regularly removed other patient-specific documents from the office in order to deliver services, such as assessments, care plans, and order confirmations. While Lincare maintained policies addressing the privacy and security of records maintained within its offices, it had no written policy which addressed the privacy and security of PHI that was removed from its offices.
In accordance with Lincare’s customary practices, the branch manager in this case regularly took these patient-specific records from the office. When she separated from her husband and moved out of her home, she left the documents behind. Nobody at Lincare realized the documents were missing until her estranged husband, four months later, reported to Lincare and then to OCR that he had them in his possession. OCR’s investigation revealed that, upon learning of these events, Lincare took only minimal action to prevent further disclosure of PHI.
The ALJ’s decision analyzed two key failures by Lincare. The first was its failure to reasonably safeguard the PHI of its patients, which permitted the disclosure of PHI to an unauthorized individual. The second was Lincare’s failure to develop or implement policies and procedures to protect the PHI that staff removed from branch offices.
HIPAA requires that covered entities reasonably safeguard PHI from any impermissible use or disclosure. As an initial matter, Lincare argued that it was a victim of its employee’s theft for which it should not be held responsible. The ALJ, however – even conceding for the sake of argument the allegations of theft were true – was not persuaded that Lincare should not be accountable for an employee’s theft. The ALJ noted that Lincare was obligated to take reasonable steps to protect its PHI from theft. According to the ALJ, regardless of whether there was a theft,
"[Lincare] violated that obligation when [the employee] took documents out of the office, left them in places (car or home) accessible to [her husband], and then, apparently without giving a thought to the security of those documents, abandoned them entirely."
Importantly, even after having been made aware of these events, Lincare took no steps to prevent further disclosure of PHI. When asked whether Lincare considered revising its policies to include specific guidelines for safeguarding PHI taken out of its offices, its Corporate Compliance Officer responded that Lincare personnel “considered putting a policy together that said thou shalt not let anybody steal your protected health information.” Not surprisingly, the ALJ did not consider this to be a serious response.
HIPAA also requires that providers implement adequate policies and procedures, reasonably designed to take into account the size and activities undertaken by the covered entity. Although Lincare did have HIPAA privacy policies, the ALJ found that they were inadequate. Nowhere did the policies address how staff should handle PHI when removed from the office. In fact, their existing policies specifically limited where PHI could be used or stored to certain locations in the branch offices, rendering each removal of PHI from the office itself a violation of their own policies. With Lincare’s business model centered on in-home visits, this was especially egregious in the eyes of OCR and the ALJ. Again, the ALJ emphasized that Lincare took no steps to modify its policies and procedures even after having been made aware of these events. Although Lincare argued that its training satisfied this regulatory requirement, the ALJ made clear that “even if the training were flawless,” it would not compensate for the missing policies.
The Lincare decision is another example of OCR’s increased HIPAA enforcement involving a relatively small number of affected individuals, and its willingness to litigate HIPAA violations. Providers will recall that this is not the first time that OCR investigated a complaint involving fewer than 500 individuals. Providers cannot assume that it is only the number of affected individuals that matters to OCR. Moreover, while most HIPAA enforcements to date have resulted in a voluntary settlement and consent decree, this case is unique because, for only the second time, OCR imposed CMPs. See the Cignet Health enforcement, discussed here and here. OCR Director Jocelyn Samuels reminded providers that
"While OCR prefers to resolve issues through voluntary compliance; this case shows that we will take the steps necessary, including litigation, to obtain remedies for violations of the HIPAA Rules."
These violations and the subsequent enforcement action offer a number of helpful reminders for providers:
- Implement policies and procedures which are reasonably designed to protect PHI given the provider’s unique service delivery model. HIPAA compliance involves more than adopting a set of generic policies. At minimum, ensure that the written policies do not conflict with the actual practices of your workforce.
- Train your workforce, but don’t over-rely on training. Training is a necessary and critical component of HIPAA compliance, but it does not substitute for adequate policies and procedures.
- Demonstrate that you have adequate safeguards in place. Providers are usually responsible for the actions of their employees. Therefore, even in instances of employee theft, providers must demonstrate that they have adequate safeguards in place.
- Don’t forget to mitigate, and document the steps taken. HIPAA happens. Providers must be able to nimbly respond to incidents involving PHI, and appropriately modify its policies, procedures, and practices when necessary.
- Thou shalt respond to OCR investigations appropriately. As the ALJ hinted multiple times, snarky or otherwise non-serious responses are not advisable.
The HHS press release, along with the ALJ’s opinion, may be found here.