On February 3, 2016, the U.S. Department of Health and Human Services Office for Civil Rights (“OCR”) announced that an Administrative Law Judge (“ALJ”) ruled that Lincare, Inc. (“Lincare”) violated the HIPAA Privacy Rule and ordered the company to pay $239,800 to OCR.
Taking into account all of these factors, OCR asserted in a Notice of Proposed Determination that Lincare committed three HIPAA Privacy Rule violations by (1) impermissibly disclosing PHI, (2) failing to reasonably safeguard PHI, and (3) neglecting to implement policies and procedures to comply with the HIPAA Privacy Rule’s requirements. Lincare appealed the Notice of Proposed Determination to the ALJ, claiming that it was not responsible for HIPAA violations because the complainant had stolen the PHI from the Lincare employee. The ALJ disagreed with Lincare’s assertion, noting in its decision that Lincare did not “provid[e] evidence to support its accusations” and that “the undisputed evidence establishes that Lincare violated HIPAA because it failed to safeguard the PHI of its patients.”
In announcing the ALJ’s decision, OCR Director Jocelyn Samuels noted that the office will “take the steps necessary, including litigation, to obtain adequate remedies for violations of the HIPAA Rules.” The ALJ’s decision is the second time in history that has sought a civil monetary penalty for HIPAA Privacy Rule violations – the first instance was a $4.3 million penalty against Cignet Health in 2011.