Health Law Gurus

Historic Moment: Husband Reports Wife’s HIPAA Violation Triggering Six Figure Penalty Against Employer

For the second time in history, the Office for Civil Rights (“OCR”) has imposed a civil monetary penalty (“CMP”) against a covered entity for violations of the Health Insurance and Portability Act (“HIPAA”). Lincare, Inc., a provider of respiratory care, infusion therapy, and medical equipment to in-home patients, is required to pay a $239,800 CMP for failure to safeguard its patients’ protected health information (“PHI”) in violation of HIPAA. A U.S. Department of Health and Human Services administrative law judge has upheld the imposition of the CMP and granted summary judgment to OCR on all issues.

OCR began investigating Lincare in 2009 after it received a complaint from Richard Shaw stating that he had found the PHI of 278 patients inside the home that he formerly shared with his wife, Faith Shaw, a Lincare employee. Ms. Shaw, who worked as a manager of an operating center for Lincare, left the PHI in her home when she moved out. In addition, Ms. Shaw routinely kept and maintained PHI in her car, despite her knowledge that her husband, Mr. Shaw, had a key to the car.

The compromised PHI included an emergency procedures manual with the names, addresses, telephone numbers, and emergency contacts of 270 patients. In addition, there were patient assessment and care plans, physician prescriptions, certificates of necessity, and confirmation of orders with names, addresses, telephone numbers, dates of birth, medical symptoms, diagnosis, medical test results, prescriptions, names of physicians, and names of pharmacies for an additional 8 patients.

During its investigation, the OCR found the following:

• Impermissible Disclosure of PHI: Ms. Shaw impermissibly disclosed PHI in violation of 45 C.F.R. § 164.502(a) by allowing Mr. Shaw access to the PHI either in the car or in their shared home.
• Failure to Safeguard PHI: Ms. Shaw did not implement appropriate safeguards to protect the PHI from unauthorized use or disclosure in violation of 45 C.F.R. § 164.530(c). She left PHI in her car and abandoned PHI in her home after she moved out.
• Failure to Implement Appropriate Administrative Policies and Procedures: Lincare failed to implement appropriate policies and procedures to safeguard PHI in violation of 45 C.F.R. § 164.530(i)(1). Employees were permitted to remove PHI from the operating center and maintain it in their vehicles for indefinite periods of time. Lincare did not record or track the movement of PHI or instruct employees how to maintain the PHI in a safe and secure manner.

The administrative law judge, granting summary judgment to OCR, confirmed that the “undisputed evidence establishes that Lincare violated HIPAA because it failed to safeguard the PHI of its patients; a member of its workforce disclosed patient PHI to an unauthorized person; and it lacked policies and procedures reasonably designed to ensure compliance with the Privacy Rule.”

OCR Director Jocelyn Samuels stated that “[w]hile OCR prefers to resolve issues through voluntary compliance, this case shows that we will take the steps necessary, including litigation, to obtain adequate remedies for violations of the HIPAA Rules.” She further stated that “all covered entities, including home health providers, must ensure that, if their workforce members take protected health information offsite, they have adequate policies and procedures that provide for the reasonable and appropriate safeguarding of that PHI, whether in paper or electronic form.”

To read the HHS Press Release, click here.

To read the OCR’s Notice of Proposed Determination, click here.

To read the ALJ’s Opinion, click here.