Office for Civil Rights has announced that Lincare, a provider of respiratory care and home health services, has been ordered to pay a CMP for HIPAA compliance violations as a result of the accidental disclosure of 278 confidential patient records. The civil monetary penalty of $239,800 was deemed appropriate after HIPAA Privacy Rule violations were discovered to have directly contributed to the patient privacy breach.
$239,800 CMP for HIPAA Violations for Lincare Inc.
A Department of Health and Human Services Administrative Law Judge (ALJ) recently ruled that Lincare had breached the HIPAA Privacy Rule, and was responsible for the breach of PHI of 278 individuals.
The decision came after an investigation conducted by OCR. OCR investigates all data breaches that involved the exposure of more than 500 records, although this investigation was triggered by a privacy complaint.
The complainant was filed by the estranged husband of Lincare General Manager, Faith Shaw. Complainant Shaw discovered documents containing PHI which had been left by general manager Shaw at her residence, after she had moved out. The paper files were left unprotected and were seen by an individual unauthorized to view them: General manager Shaw’s husband.
Lincare was notified of the investigation, yet made scant attempts to address HIPAA failures which resulted in the PHI of patients being exposed and unprotected for extended periods of time.
OCR investigators found that Lincare employees were permitted to take the PHI of patients home with them, and were allowed to leave the documents in locked vehicles. OCR determined that Lincare’s policies and procedures were insufficient to ensure that patient privacy was protected and PHI kept secure at all times.
OCR determined that Lincare had breached the Privacy Rule, although Lincare decided to fight the case rather than agree to a voluntary settlement. The healthcare provider maintained that the records had not been left at the residence, but had been stolen by complainant Shaw. The ALJ didn’t agree. Lincare was unable to provide evidence to substantiate its argument.
Second Time a CMP for HIPAA Violations Have Been Warranted
In the majority of cases, OCR comes to an agreement with a covered entity after HIPAA violations have been discovered. The majority of covered entities arrive at a reasonable settlement and cooperate with OCR. A settlement cannot always be reached however. In such cases a CMP for HIPAA violations is pursued.
The first CMP for HIPAA violations was imposed on Cignet in 2011. The Maryland-based healthcare provider fought the case, but lost and was ordered to pay $4.3 million for Privacy Rule failures after denying 41 patients access to their medical records.
OCR prefers to arrive at a settlement with the covered entity. It is usually in the interests of all parties to settle potential HIPAA violations rather than cover the cost of mounting a defense. A settlement, without admission of liability, is often deemed preferable, provided a reasonable settlement figure can be reached. When announcing the latest HIPAA fine, OCR pointed out that a CMP for HIPAA violations will be pursued if a settlement for HIPAA violations cannot be reached with a covered entity.