Home Health & Hospice Week

Oxygen provider pays 6-figure HIPAA Civil Money Penalty.

If you thumb your nose at HIPAA regulations, you may pay a big price.

Case in point: An Administrative Law Judge sided with the HHS Office for Civil Rights in a HIPAA case involving oxygen behemoth Lincare Corp. “OCR found that Lincare had inadequate policies and procedures in place to safeguard patient information that was taken offsite, although employees, who provide health care services in patients’ homes, regularly removed material from the business premises,” the agency says in a release.

Therefore, ALJ Carolyn Cozad Hughes upheld a Civil Money Penalty amount totaling nearly $240,000, according to her Jan. 13 decision released by OCR Feb. 3.

Mistake #1: “Evidence indicated that the organization had an unwritten policy requiring certain employees to store protected health information in their own vehicles for extended periods of time,” OCR notes. When a manager at Lincare’s Wynne, Ark., location stored 278 patients’ PHI in her car and then abandoned it when leaving her spouse, the PHI was obtained by the manager’s estranged spouse and reported in 2008 — sparking an OCR investigation.

Mistake #2: “The company had no policies — written or otherwise — in place to monitor documents removed from their offices and to ensure their return.” So Lincare had no idea the documentation was even missing, the ALJ says.

Mistake #3: “Although aware of the complaint and OCR’s investigation, Lincare subsequently took only minimal action to correct its policies and strengthen safeguards to ensure compliance with the HIPAA Rules,” OCR says. Lincare claimed the PHI was stolen and it wasn’t responsible — end of story.

Mistake #4: In her decision, ALJ Cozad Hughes does not seem amused by Lincare’s sometimes flippant attitude in the case. For example, she condemns the company’s assertion that the OCR’s exhibits were “unverified pieces of paper” that were inadmissible. And when asked whether Lincare considered revising its policies after the incident, Lincare’s corporate compliance officer responded that Lincare personnel “considered putting together a policy that said ‘thou shalt not let anybody steal your protected health information.’” The Judge replies, “I do not consider this a serious response.”

CMPs vs Settlement: Usually, HIPAA-related settlements (and their amounts) are negotiated between providers and OCR. This case “is only the second time in its history that OCR has sought CMPs for HIPAA violations, and each time the CMPs have been upheld by the ALJ,” OCR stresses.

The other CMP HIPAA case, against Cignet Health, had a much higher fine amount at $4.3 million, note attorneys Elliot Golding and Christopher Hoff with Crowell & Moring in a Feb. 8 analysis. Cignet had failed to provide 41 patients with requested medical records. As with Lincare, OCR said Cignet did little or nothing to resolve the problem and prevent recurrences.

“While OCR prefers to resolve issues through voluntary compliance, this case shows that we will take the steps necessary, including litigation, to obtain adequate remedies for violations of the HIPAA Rules,” OCR Director Jocelyn Samuels adds in the release.

Bottom Line: “Under the ALJ’s ruling, all covered entities, including home health providers, must ensure that, if their workforce members take protected health information offsite, they have adequate policies and procedures that provide for the reasonable and appropriate safeguarding of that PHI, whether in paper or electronic form,” Samuels insists.

“This case serves as a reminder that OCR can and will proceed with formal enforcement action both when the facts indicate serious wrongdoing and when OCR’s preferred method of informal resolution fails,” Golding and Hoff stress.

Note: See links to the ALJ opinion, release and more at www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/lincare/index.html.