by Amy Holliday
On January 13, 2016, a U.S. Department of Health and Human Services (HHS) Administrative Law Judge (ALJ) upheld a $239,800 penalty against Lincare, Inc., finding the company “violated HIPAA because it failed to safeguard the PHI of its patients.” Lincare supplies respiratory care, infusion therapy, and medical equipment to patients in their homes across the country.
The Office for Civil Rights (OCR) enforces the laws that protect individuals’ rights for their protected health information (PHI) to be secure and private under regulations commonly known as HIPAA, or the Health Insurance Portability and Accountability Act. PHI includes data that might be used to identify a specific patient, including name, address, telephone number, date of birth, Social Security Number, and other information.
The investigation began when the estranged husband of a Lincare manager filed a complaint with the company and OCR that his wife allowed him access to the PHI of patients. The evidence presented by the OCR, and upheld by the ALJ, stated that this manager stored in her vehicle an “Emergency Procedure Manual,” which contained PHI of 270 patients, specifically their names, addresses, telephone numbers, and emergency contacts, even though she knew her husband had keys to the car. At the time of the incident, the investigation noted that the company instructed its managers to maintain copies of the Emergency Procedure Manual "secured" in their vehicles so that company employees would have access to patient contact information if an office was destroyed or otherwise made inaccessible. The evidence also stated that patient assessments and care plans were accessed by the husband in the marital home after the manager moved out and left her car. These documents contained patient names, addresses, telephone numbers, dates of birth, medical symptoms, diagnoses, medical test results, prescriptions, names of physicians, and names of pharmacies.
In 2014, OCR issued penalties against Lincare for three violations of the HIPAA Privacy Rule: (1) $25,000 for impermissible disclosure of protected health information; (2) $25,000 for failure to safeguard protected health information; and (3) $189,800 for having deficient policies and procedures that allowed workforce members to remove PHI from its premises without appropriately safeguarding the PHI.
OCR Director Jocelyn Samuels commented, “While OCR prefers to resolve issues through voluntary compliance, this case shows that we will take the steps necessary, including litigation, to obtain adequate remedies for violations of the HIPAA Rules. Under the ALJ’s ruling, all covered entities, including home health providers, must ensure that, if their workforce members take protected health information offsite, they have adequate policies and procedures that provide for the reasonable and appropriate safeguarding of that PHI, whether in paper or electronic form.”
Home health care providers, and business associates, who transport electronic or paper documents containing PHI outside of the office should take note of this enforcement action and take appropriate steps to reduce the risk of a HIPAA violation:
While you can never fully predict or explain the behavior of your employees (or their ex-spouses!), you can buttress your compliance efforts with strong policies and procedures, and be able to provide HHS with ample evidence that you have been diligent about protecting PHI. An ounce of prevention can be worth many pounds (or dollars) of cure.
The Notice of Proposed Determination and the ALJ’s opinion may be found on the OCR website: www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/lincare/index.html
Amy Holliday is a nurse and HIPAA consultant who is passionate about helping home care providers and physicians protect the privacy and security of their patients’ PHI. She has been a hospice and home health RN for over 25 years, before transitioning to wellness, prevention and quality reporting with an accountable care organization (ACO). She was compelled to advocate for patients and providers after experiencing the vast amount of misinformation concerning HIPAA in transitions of care. Amy joined Carosh Compliance Solutions and has achieved Certification in Healthcare Privacy and Security (CHPS) with AHIMA (American Health Information Management Association) and volunteers on the Education Committee of the Georgia Chapter of AHIMA (GHIMA). She is active in her local Medical Group Management Association (MGMA) and advocates for physicians and practice managers, helping them understand and demonstrate compliance to HIPAA regulations in an efficient manner. “My goal is to help ease the confusion surrounding HIPAA compliance, so home care providers and physicians can confidently spend more time doing what they do best… taking care of patients.”
©2015 by Rowan Consulting Associates, Inc., Colorado Springs, CO. All rights reserved. This article originally appeared in Tim Rowan's Home Care Technology Report. homecaretechreport.com One copy may be printed for personal use; further reproduction by permission only. firstname.lastname@example.org