An Administrative Law Judge for the U.S. Department of Health and Human Services, recently ruled that Lincare violated the HIPAA Privacy Rule, by failing to implement policies and procedures to safeguard protected health information (PHI) and failing to protect PHI from disclosure to unauthorized persons. For such violations, the Judge imposed $239,800 in civil monetary penalties. This is only the second time the Office of Civil Rights (OCR) has pursued civil monetary penalties for violations of HIPAA, and the first time such a matter has been appealed to an Administrative Law Judge. This ruling serves as a reminder of the importance of maintaining adequate procedures and policies to safeguard PHI and prevent its unauthorized disclosure.
The OCR became aware of the violation, when the estranged husband of a Lincare Manager reported to the OCR that his wife had left documents containing PHI in his possession, though he was not authorized to see them. Lincare instructed its Center Managers to maintain copies of certain PHI “secured” in their vehicles so that employees would have access to patient contact information if a center office was destroyed or otherwise made inaccessible. As a Center Manager, she kept such PHI in her car, despite knowing that her husband had keys to the car. The wife ultimately abandoned PHI in her home and vehicle.
In reaching its conclusion, the Judge noted that Lincare did not have a written policy addressing PHI that was removed from its offices. Lincare’s privacy policy could even be read as prohibiting the removal of PHI, despite Lincare’s business model requiring employees to remove PHI from its offices. Lincare also lacked policies and procedures to monitor PHI that was moved offsite. This meant that PHI could go missing without it coming to Lincare’s attention.
In light of this ruling, covered entities and business associates, should consider whether their policies and procedures adequately protect PHI that is moved offsite. Specifically, employers should consider the circumstances in which they permit PHI to be moved offsite, what procedures and policies apply to PHI that is moved offsite, and how PHI that is moved offsite will be tracked. Employers allowing PHI to be removed from their offices should also consider options such as encryption and limiting access to PHI to virtual private networks.
