Home Health Provider Hit with $240,000 HIPAA Penalty
Lincare, a major provider of in-home respiratory care and other services, will pay $238,900 in civil monetary penalties for violating the Health Insurance Portability and Accountability Act (HIPAA), federal authorities announced Wednesday.
This marks only the second time that the Office for Civil Rights (OCR) has imposed civil monetary penalties for a HIPAA violation. The penalty was challenged but now has been upheld by an administrate law judge (ALJ).
The case demonstrates some of the pitfalls faced by home health providers, given that workers often take confidential patient files into the field.
The breach involved a Lincare branch in Wynne, Arkansas, doing business as United Medical. Faith Shaw worked as a manager there from October 2005 until July 2009, according to the decision written by ALJ Carolyn Cozad Hughes.
When she left her husband in late 2008, Shaw left behind documents containing the protected health information of 278 patients. The documents had been removed from the company’s office in accordance with Lincare policy, which stated that managers should keep procedures manuals “secured” in their cars as a backup, in case the office were destroyed or inaccessible, according to the ALJ document.
“[Shaw] told the OCR investigator that she kept the documents in her car even though she knew that her husband had keys to the car,” Cozad Hughes wrote. “When she moved out of the marital home in August 2008, she left the documents behind. She also admitted to the OCR investigator that, when she left, she didn’t even know where the car was parked.”
Shaw’s husband subsequently contacted Lincare and the OCR to report that he had access to the protected information.
Lincare claimed that the documents had been stolen and were being used by Shaw’s husband as part of a ploy to win her back.
“The case to which you refer involved the theft of patient information from a Lincare employee, and criminal charges were filed against the individual who committed the crime,” according to a company statement emailed to Home Health Care News. “Lincare proactively informed the Office for Civil Rights that patient information had been stolen.”
The ALJ was not convinced by this defense, however. These allegations against Shaw’s husband were “unsupported” and the whole line of defense was ill conceived, she wrote.
“Even if I accepted the allegations, Lincare’s ‘defense’ is just as damaging – perhaps even more damaging – than the OCR version of events,” Cozad Hughes wrote. “Under HIPAA, Respondent was obliged to take reasonable steps to protect its [protected health information] from theft. It violated that obligation when Manager Shaw took documents out of the office, left them in places (car or home) accessible to this purportedly untrustworthy and possibly unbalanced individual, and then, apparently without giving a thought to the security of those documents, abandoned them entirely.”
Lincare took a blasé approach to HIPAA compliance, failing to create adequate policies around documents removed from offices even after this breach occurred, the ALJ stated.
“When asked whether Lincare considered revising its policies to include specific guidelines for safeguarding [protected health information] taken out of its offices, Corporate Compliance Officer Pederson replied that Lincare personnel ‘considered putting a policy together that said thou shalt not let anybody steal your protected health information,’” Cozad Hughes wrote. “I do not consider this a serious response.”
Lincare disputes that it shirks its duties in this area.
“Lincare takes its responsibility to patient privacy very seriously, and we follow strict policies and procedures to protect patient information,” according to the company’s emailed statement.
The decision was received by Lincare’s attorneys on Jan. 20, and they were given 30 days to file a notice of appeal.
Based in Clearwater, Florida, Lincare is owned by German corporation The Linde Group. Lincare operates from about 1,000 locations in 48 U.S. states and Canada, and recently expanded to more than 200 additional locations by acquiring American HomePatient.
Written by Tim Mullaney