A New Ruling Shows the Inescapability of HIPAA Penalties

On March 1, 2016, an administrative law judge (ALJ) upheld the Civil Monetary Penalty (CMPs) that HHS' Office for Civil Rights (“OCR”) levied against Lincare, Inc., a medical supplies firm based in Norwalk, Ct., for violations of HIPAA. On Jan. 28, 2014, OCR sent Lincare a letter of determination indicating that they were in violation of HIPAA for the following reasons:

• Failing to “implement written policies and procedures to safeguard records containing protected health information (PHI) that the employees in its 1,200 operating centers use daily to provide in-home services;”

• Failing “to implement reasonable safeguards containing PHI of 278 name patients against disclosure to unauthorized persons;” and

• “Impermissible disclosure of the PHI of these 278 patients to an unauthorized individual.”

In response to this letter, and after missing the 90-day deadline to request a hearing, Lincare requested an administrative hearing pursuant for its right to appeal. In response, OCR filed a motion for summary judgment and once again, Lincare missed the period to appeal. On Jan. 13, 2016, the ALJ granted the motion for summary judgment and upheld the imposition of $239,800 in CMP against Lincare. 

Why is this important for physicians?  First, it is the second time that OCR has requested CMPs for HIPAA violations and both times, it was upheld by an ALJ. Second, the complaint originated after an individual complained that a Lincare employee left medical records behind after moving residences. “Evidence established that this employee removed patients’ information from the company’s office, left the information exposed in places where an unauthorized person had access, and then abandoned the information altogether,” HHS wrote. During the course of the investigation, OCR discovered that Lincare had woefully inadequate policies and procedures. Given the circumstances surrounding Lincare’s penalty, here are some steps that providers can take:

1. Make certain that policies and procedures are comprehensive and address remote workers, as well as paper and electronic PHI;

2. Perform an adequate risk analysis and risk assessment annually;

3. Implement adequate technical, administrative and physical safeguards, in keeping with various rules and regulations.

Like the False Claims Act, where cases are filed under seal and may not become public for years, investigations of potential HIPAA violations could be ongoing. Hence, it is crucial to be proactive.