For only the second time in its history, the U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) has imposed a civil money penalty (CMP) on a covered entity for allegedly violating the HIPAA Privacy Rule. Although it may be a relatively low fine ($239,800) compared to recent settlements, the Administrative Law Judge (ALJ)’s decision upholding the CMP is a reminder that when employees take protected health information (PHI) home but do not adequately protect it, trouble may follow.

On February 3, OCR announced that an HHS ALJ recently granted OCR summary judgment against Lincare, Inc., upholding OCR’s imposition of $239,800 CMPs and finding that the in-home medical care company violated the HIPAA Privacy Rule by disclosing the PHI of 278 patients and failing to have adequate policies and procedures to protect PHI when it is taken offsite by company employees. The ALJ found that the undisputed evidence showed that Lincare violated its duties to protect PHI when a manager removed patient records from the company’s offices, left the documents in her car and home – both of which were shared with and accessible by her husband – and later abandoned the documents with her husband when she moved out of their home. Further, the ALJ found the company’s policies as written from February 2008 through July 2009 were not “reasonably designed” to protect PHI when the records were taken from its offices, as they allowed employees to remove PHI without appropriate and reasonable safeguards.

What to Do in Response. In this case, the covered entity had to permit PHI to be taken offsite. This is a common scenario for many covered entities and business associates. Steps to consider include:

  • Conduct an assessment to know where your PHI is and how it is used and disclosed. This may be part of your risk analysis.
  • Review your business practices to verify when and whether PHI should be taken offsite and develop a “business case” supporting the decision.
  • Limit situations when PHI may be removed and explore alternatives, such as remotely accessing PHI through a VPN or portal rather than carrying PHI stored on a laptop or portable device.
  • Implement appropriate safeguards to protect PHI when offsite – or accessed remotely.
  • Review and update your policies and procedures governing how workforce must safeguard PHI from unauthorized disclosures when taking records out of your facilities for official purposes.
  • Don’t permit workforce to leave PHI unattended in a vehicle.
  • Strongly consider encryption.
  • Enforce sanctions for workforce who do not comply with the entity’s privacy and security policies and procedures.

Some Take-Away Thoughts. There is still time for Lincare to appeal the ALJ’s decision to the HHS Departmental Appeals Board, so this is not necessarily the end of the matter. But covered entities and business associates that provide services away from their company offices – thus requiring workforce to remove records containing PHI – should take note of OCR’s enforcement action and the ALJ’s decision, as the judgment against Lincare may relate to their business operations.

  • Leaving PHI in an area where others have access – even employees’ family members – may constitute an unauthorized disclosure. Both OCR and the ALJ noted that the Lincare manager’s storage and later abandonment of patient PHI in her car and home was an unauthorized disclosure under HIPAA, as her husband had access to both areas and later discovered the PHI. Moreover, the ALJ was unpersuaded by Lincare’s claim that it was not responsible because the PHI was stolen, stating that even if the company was the victim of theft, it still had the responsibility to take reasonable steps to protect PHI – an obligation it failed to meet by leaving patient records in areas accessible by others and then abandoning the records entirely.
  • Deceptively low fines? Although the CMP levied against Lincare is seemingly low, covered entities should not be deceived into thinking that similar conduct won’t lead to bigger fines. Indeed, most OCR investigations usually are settled through voluntary resolution agreements that contain fines closer to $1 million and more and typically come with the added burden of a corrective action plan. As explanation for the lower fine, the majority of Lincare’s conduct at issue occurred before the HITECH Act took effect and thus was subject to lower penalty amounts.
  • First True HIPAA Appeal. Although this is the second time OCR has imposed CMPs, this is the first time the covered entity appealed the penalties to an ALJ. In the other CMP case, Cignet Health failed to appeal its CMP to an ALJ, leading to a court dismissing its subsequent appeal due to Cignet’s failure to exhaust its administrative remedies. Accordingly, this is our first glimpse into an administrative body’s review of an OCR HIPAA enforcement action. The ALJ upheld the OCR decision on summary judgment, suggesting that it may be an uphill battle to overcome deference to OCR’s interpretation of what privacy and security practices are reasonable.
  • Cooperation is the better part of valor in an OCR investigation. While OCR has settled the vast majority of its HIPAA enforcement actions, OCR’s decision to impose CMPs on Lincare highlights that OCR is able to pursue additional remedies for HIPAA violations and underscores the importance of covered entities cooperating with OCR in an investigation. OCR suggested that Lincare took only minimal actions to correct the issues raised, which likely led to OCR seeking CMPs.  It is unclear whether Lincare would have had a more favorable result in terms of penalties imposed had it reached an informal resolution with OCR earlier, but cooperation may have saved the company years in litigation and its recent adverse judgment.