Clearwater, Florida-based respiratory and infusion care provider Lincare Holdings has been ordered to pay a HIPAA violation penalty of $239,800 to the Department of Health and Human Services Office for Civil Rights (OCR) by an administrative law judge.
This is only the second time in the past 8 years that a HIPAA-covered entity has been forced to pay a HIPAA fine rather than agreeing to a settlement with the OCR to settle HIPAA-related charges.
Lincare decided to fight the case rather than negotiate a settlement over alleged violations of the HIPAA Privacy Rule. Lincare maintained no violation of the HIPAA Privacy Rule had occurred as patient PHI had been stolen by an employee of the firm.
Lincare was investigated following a complaint made to the OCR about an employee of the company who had moved home and had left behind the confidential protected health information of 278 patients. The PHI had been removed from Lincare’s offices and had then been left in a location where it was unprotected and could be accessed by unauthorized individuals. According to the OCR, the PHI had been abandoned by the employee.
Lincare has over 850 branch locations in 48 states and regularly provides in home services to patients. OCR investigators determined during the course of the investigation that Lincare had inadequate policies and procedures in place to protect PHI that was removed from company premises, even though PHI was routinely taken offsite by employees of the company.
The OCR also found evidence to suggest that Lincare had an unwritten policy that permitted employees to remove PHI from company premises and leave the data in employees’ vehicles for extended periods of time.
Even when made aware that the OCR was conducting an investigation into alleged Privacy Rule violations, Lincare only took minimal action to correct its policies and ensure compliance with the HIPAA Privacy and Security Rules.
While HIPAA does not prohibit the removal of patient PHI from company offices, covered entities must ensure that appropriate safeguards are applied to prevent unauthorized individuals from viewing, copying, or stealing the protected health information of patients. Those rules apply to all PHI, whether in paper or electronic form.
Office for Civil Rights director Jocelyn Samuels said “While OCR prefers to resolve issues through voluntary compliance, this case shows that we will take the steps necessary, including litigation, to obtain adequate remedies for violations of the HIPAA Rules.”