Lincare to pay $240,000 HIPAA fine over handling of protected health information
Respiratory care provider Lincare has been ordered to pay $239,800 in penalties for violating the HIPAA Privacy Rule.
An administrative law judge ruled in favor of the Office for Civil Rights, which is charged with enforcing the rule. OCR had asked the judge to approve the penalties, and the judge granted them on all issues, the agency announced on February 3.
"While OCR prefers to resolve issues through voluntary compliance, this case shows that we will take the steps necessary, including litigation, to obtain adequate remedies for violations of the HIPAA Rules," OCR Director Jocelyn Samuels, said in a press statement. "The decision in this case validates the findings of our investigation."
Lincare claimed it had not violated HIPAA rules because the protected health information was "stolen" by the individual who discovered it on the premises previously shared with the Lincare employee. The judge rejected this argument.
Lincare provides respiratory care, infusion therapy and medical equipment to in-home patients. The company operates more than 850 branch locations in 48 states.
OCR's investigation of Lincare began after the agency received a complaint that a Lincare employee left behind documents containing the protected health information of 278 patients after moving to another home.
According to OCR, the employee removed patients' information from Lincare's office, left it exposed where an unauthorized person had access, and then abandoned it altogether.
[Like Healthcare IT News on Facebook]
The OCR investigation found that Lincare had inadequate policies and procedures in place to safeguard patient information that was taken off site, although employees, who worked in patients' homes, routinely removed PHI from Lincare offices. Moreover, evidence revealed Lincare had an unwritten policy requiring certain employees to store protected health information in their own vehicles for extended periods.
Even when Lincare was aware of the complaint and the OCR investigation, the company "took only minimal action to correct its policies and strengthen safeguards to ensure compliance with the HIPAA Rules," OCR officials stated.