And beware that an ALJ will likely back OCR’s decision.
When it comes to HIPAA compliance, the HHS Office for Civil Rights (OCR) isn’t fooling around. And if you don’t agree with OCR’s findings of noncompliance, chances are it will slap you with civil money penalties (CMPs).
Background: OCR investigated home health equipment and care provider Lincare Inc. after an individual complained that an employee left behind documents containing 278 individuals’ protected health information (PHI) after moving residences, according to a Feb. 3 OCR announcement. The employee removed patient information from Lincare’s office, left the PHI exposed where an unauthorized individual had access to it, and then abandoned the PHI altogether.
Sharpen Your Policies & Procedures
OCR’s investigation revealed that Lincare had inadequate policies and procedures in place to safeguard patient information taken offsite. Lincare employees, who provided healthcare services in patients’ homes, regularly took materials containing patient information from Lincare’s offices for use.
Best bet: If you have employees who take any kind of patient information outside the workplace, make sure you have policies and procedures to keep data secure — and make sure you’re training employees on those policies and procedures.
OCR further discovered that Lincare had an unwritten policy requiring certain employees to store PHI in their own vehicles for extended periods of time. And even after Lincare was aware of the complaint and OCR’s subsequent investigation, the company “took only minimal action to correct its policies and strengthen safeguards to ensure compliance with the HIPAA Rules,” OCR stated.
OCR Isn’t Afraid to Impose CMPs
The OCR investigation led to OCR seeking $239,800 in CMPs from Lincare. What’s significant about this case is that this is only the second time that OCR has sought CMPs for HIPAA violations.
This is also the second time that an HHS Administrative Law Judge (ALJ) has upheld OCR’s decision to impose CMPs.
Why? OCR hasn’t needed to impose CMPs in these cases largely because nearly all healthcare entities voluntarily comply with OCR’s demands and enter into a voluntary compliance or resolution agreement. But in this case, Lincare claimed it had not violated HIPAA because the individual “stole” the PHI discovered on the premises previously shared with the Lincare employee.
The ALJ agreed with OCR, however, that Lincare “was obligated to take reasonable steps to protect its PHI from theft.”
Takeaway: “While OCR prefers to resolve issues through voluntary compliance, this case shows that we will take the steps necessary, including litigation, to obtain adequate remedies for violations of the HIPAA Rules,” OCR Director Jocelyn Samuels said in the Feb. 3 announcement. And the ALJ’s decision validated the OCR investigation’s findings.
“Under the ALJ’s ruling, all covered entities, including home health providers, must ensure that, if their workforce members take [PHI] offsite, they have adequate policies and procedures that provide for the reasonable and appropriate safeguarding of that PHI, whether in paper or electronic form,” Samuels stated.
You can read the ALJ’s opinion and the Notice of Proposed Determination at www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/lincare/index.html.