(March 29, 2016) Lincare, Inc., a provider of respiratory care, infusion therapy and medical equipment to in-home patients, will pay $239,800 in Civil Money Penalties (CMPs) for violating the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule after a HHS Administrative Law Judge (ALJ) ruled in favor of the Office for Civil Rights (OCR). This is only the second time in its history that OCR has sought CMPs for HIPAA violations and both times the CMPs have been upheld by the ALJ.
OCR’s investigation of Lincare began after an individual, who was the estranged husband of a Lincare employee, complained that she had left behind documents containing the protected health information (PHI) of 278 patients after she had moved out of their residence. The Lincare employee kept documents containing patient PHI in her car while her husband had keys to the car and left documents behind in the home after moving. Lincare did not learn the documents were missing until months later, when the employee’s estranged husband reported to Lincare and OCR, that he had the documents containing PHI in his possession.
I. Lincare Was Alleged to Have Not Properly Safeguard PHI:
Under HIPAA, all covered entities, including home care providers, must protect the privacy rights of the PHI of those it treats and, in response, HHS implemented a “Privacy Rule,” which sets the standards for protecting PHI and requires covered entities to not disclose PHI and “must reasonably safeguard” PHI from “any intentional or unintentional use or disclosure that is in violation of the standards, implementation specifications or other requirements.”
Over the course of the investigation, OCR found that Lincare had inadequate policies and procedures to safeguard patient information that was taken offsite, although its employees, who provide health care services in patients’ homes, regularly removed material from the business premises. Lincare had instructed its managers to maintain copies of the procedures manual “secured” in their vehicles so that company employees would have access to patient contact information if a center office were destroyed or became inaccessible.
The ALJ held that Lincare failed to develop and implement policies and procedures reasonably designed to protect its patients’ PHI while those documents were out of the office.
Under the ALJ’s ruling, all covered entities must ensure that, if their workforce members take protected health information offsite, they have adequate policies and procedures that provide for the reasonable and appropriate safeguarding of that PHI, whether in paper or electronic form.
Lincare claimed that it had not violated HIPAA because the PHI was “stolen” by the individual who discovered it on the premises previously shared with the Lincare employee. The ALJ rejected this argument, holding that under HIPAA, Lincare “was obligated to take reasonable steps to protect its PHI from theft.”
The court noted that even after Lincare learned of the breach, it took no steps to prevent further disclosure of PHI and its managers “did not seem to recognize they had a significant problem protecting PHI that was removed from the office.”
When asked whether Lincare had considered revising its policies to include specific guidelines for taking PHI out of its offices, the Corporate Compliance Officer responded that it had “considered putting a policy together that said thou shalt not let anybody steal your protected health information.” Since sarcasm is seldom appreciated in a courtroom, the ALJ did not “consider this a serious response.”
II. Lincare Was Alleged to Have Failed to Develop or Implement Appropriate Policies and Procedures to Prevent the Improper Disclosure of PHI:
The ALJ held that providers must develop and implement adequate policies and procedures reasonably designed, taking into account the size and the type of activities undertaken by the covered entity to ensure compliance and again noted that such policies and procedures must be maintained “in written or electronic form.”
While Lincare had a written privacy policy that addressed maintaining records within the center offices, “no written policy even addressed staff’s protecting PHI that was removed from the offices.”
Lincare even revised its policies after it learned of the unauthorized disclosure but the revisions provided “no guidance to employees required to remove documents from the office’s secured storage space.” Poorly written policies, as here, that are overly broad and provide “no usable guidance to employees,” do not satisfy the Privacy Rule requirements.
Lincare further claimed that it satisfied the HIPAA requirements because its employees were trained in privacy policies and “understood those policies, practices and procedures.” The ALJ rejected that contention, holding that “even if training were flawless…staff training does not compensate for missing policies. In addition to having policies and procedures in place, the covered entity must train all members of its workforce.”
In conclusion, it is imperative for all health care providers that provide services to patients outside of an institutional or clinical setting to develop and implement adequate policies and procedures, in written or electronic form, that are reasonably designed and specifically address the “type of activities,” such as protecting PHI “off-site,” to ensure compliance with the Privacy Rule.