Don’t Keep PHI in Kitchen Drawers or Under the Bed!
For only the second time in history, OCR has imposed a civil monetary penalty for a HIPAA violation. And the penalty was upheld by an Administrative Law Judge (ALJ) on summary judgement (meaning there was no genuine issue of material fact, and the party requesting summary judgement was entitled to judgment as a matter of law).
The $239,800 penalty was imposed on Lincare, a company providing in-home respiratory care to patients in 48 states. The penalty was based on an investigation that began with a complaint filed with OCR by an employee’s estranged husband. From OCR’s Notice of Proposed Determination:
“[He] states that he found the PHI under a bed and in a kitchen drawer…[the employee] left the PHI in the home when she moved out…[The husband] delivered the PHI of 278 Lincare patients to OCR.”
According to OCR’s Press Release, “employees, who provide health care services in patients’ homes, regularly removed material from the business premises. Further evidence indicated that the organization had an unwritten policy requiring certain employees to store protected health information in their own vehicles for extended periods of time.”
OCR’s investigation found that the company’s “Privacy Policy does not include any policies, procedures or instructions for safeguarding PHI that is taken off the premises of an operating center by an employee.” Remarkably, this lack of guidance continued after the company was notified of the breach. From the ALJ opinion:
“When asked whether Lincare considered revising its policies to include specific guidelines for safeguarding PHI taken out of its offices, Corporate Compliance Officer replied that Lincare personnel ‘considered putting a policy together that said thou shalt not let anybody steal your protected health information.’ I do not consider this a serious response.”
The ALJ upheld the imposition of $239,800 in civil monetary penalties. Lincare has the option of appealing, so this saga may not be over.
There are at least these three take-away points:
- PHI cannot be left where others can access it.
- If OCR tells you about a problem, cooperate with OCR and take steps to fix the problem. I do wonder if Lincare’s seeming indifference to even the existence of a problem played a role in OCR’s decision to impose the penalties.
- The ALJ didn’t even hear the case – but rather decided on Summary Judgment that OCR’s penalties were justified.
In an unrelated HIPAA case, a physical therapy provider recently agreed to pay $25,000 for a resolution agreement, to avoid further investigation of alleged HIPAA violations. The company had impermissibly disclosed PHI by posting patient testimonials, including full names and full face photos, to its website without obtaining valid authorizations.
Donna Vanderpool, MBA, JD – Vice President As Vice President of Risk Management, Ms. Vanderpool is responsible for the development and implementation of PRMS’s risk management services for The Psychiatrists’ Program. Ms. Vanderpool has developed expertise in the areas of HIPAA and forensic practice, and has consulted, written and spoken nationally on these and other healthcare law and risk management topics. She most recently contributed to a chapter in Gun Violence and Mental Illness (APPI), authored chapters on telepsychiatry in Mental Health Practice in a Digital World (Springer) and Psychoanalysis Online 2(Karnac). She also has co-edited and contributed chapters to several other clinical textbooks. Prior to joining PRMS in 2000, Ms. Vanderpool practiced criminal defense law, taught business and legal courses, and spent eight years managing a general surgical practice. Ms. Vanderpool received a Bachelor’s degree in Business Administration and Management from James Madison University. She also earned a Master of Business Administration degree and Juris Doctor degree from George Mason University. Follow Donna on LinkedIn.