Latest HIPAA Enforcement: OCR Imposed $239,800 in CMP Upon Lincare
Lincare’s HIPAA Enforcement Case
In a February 3, 2016 U.S. Department of Health and Human (HHS) Services Press Release, announced that a U.S. HHS Administrative Law Judge (ALJ) upheld the Office for Civil Rights (OCR) decision to impose Civil Monetary Penalties (CMPs) against Lincare when the ALJ found that Lincare, Inc. (Lincare) violated the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule. The ALJ granted summary judgment to the Office for Civil Rights (OCR) on all issues. Lincare has been ordered to pay $239,800 in CMPs imposed by OCR. The press released indicated that this is only the second time in its history that OCR has sought CMPs for HIPAA violations.
Lincare is a provider of respiratory care, infusion therapy, and medical equipment to in-home patients, with more than 850 branch locations in 48 states. OCR Director, Jocelyn Samuels, says that this case confirms that “all covered entities, including home health providers, must ensure that, if their workforce members take protected health information (PHI) offsite, they have adequate policies and procedures that provide for the reasonable and appropriate safeguarding of that PHI, whether in paper or electronic form.”
Does Your Organization Have Controls for PHI Offsite?
This decision should give healthcare companies pause to check their policies for the handling of PHI offsite. Many managed care organizations and other healthcare providers routinely deploy concurrent review nurses that transport patient information between the office, facilities and sometimes their homes; have nurse hotlines and disease management program that employ teams that work remotely; employ other telecommuters that have access to PHI; or use marketing teams that gather demographic information and complete insurance applications in the field. Are you comfortable that your company has the proper controls in place to PHI obtained, accessed, and maintained for these normal business activities?
In the Lincare case, the OCR found that the Lincare employee took PHI from the Lincare’s office, left the information unprotected allowing an unauthorized person had access (her husband), and then “abandoned the information altogether” when she moved from the marital home. The estranged husband of a Lincare manager filed a complaint alleging that his wife allowed him access to the "protected health information" of Lincare patients and that when they split-up she left behind documents containing the PHI of 278 Lincare patients (names, addresses, telephone numbers, and emergency contacts of 270 patients in a manual; and patient assessments and care plans, physician prescriptions, certificates of necessity, and confirmations of orders of eight other patients). The OCR investigation revealed that Lincare did not even know that the documents were missing, until the husband filed a compliant. Which raises the second question – How are you tracking the movement of PHI that leaves your offices or is gathered offsite?
Violations That Sparked HIPAA Enforcement
1. Lincare Did Not Have Safeguards or Policies Addressing Secure Handling of Offsite PHI
The OCR also concluded that notwithstanding, Lincare knowledge of the complaint, which was filed on December 1, 2008, and the on-going OCR’s investigation, Lincare failed to take necessary steps to establish policies and procedures and safeguards to protect this information to ensure compliance with the HIPAA. The OCR noted that although Lincare revised its policies in 2009, the new policies and procedures also failed to provide guidance to employees required to remove documents from the offices.
2. Lincare Had an Unwritten Policy to Store PHI in Vehicles as a Part of its Emergency Procedure Protocol
Lincare instructed managers to store copies of an "Emergency Procedures Manual," which contained PHI of 270 Lincare patients (names, addresses, telephone numbers, and emergency contacts ) in their vehicles so that company employees would have access to patient contact information if a center office were destroyed or otherwise made inaccessible. The OCR therefore concluded that Lincare had an unwritten policy requiring certain employees to store protected health information in their own vehicles for extended periods of time, which violated HIPAA requirements to safeguard PHI. I might add that this was probably not the best approach to meet the regulatory requirements of a business continuity plan.
3. Lincare Failed to Take Reasonable Steps Against Theft of PHI
Lincare’ defense that the PHI was “stolen” by the estranged husband was rejected by the ALJ. Theft might have been an affirmative defense if Lincare had reasonable policies to protect against theft. The ALJ, however, found that Lincare was required to “take reasonable steps to protect its PHI from theft” and failed to do so.
4. Lincare Did Not Have a Policy to Monitor Documents Removed From Offices
The government also concluded that Lincare did not have policies to monitor documents removed from their offices and to ensure their return. In this case, the documents in questions were missing and abandoned for a period of time without Lincare knowledge. Lincare only became aware that documents were missing after the compliant was filed.
Calculating the Cost of the HIPAA Violations
Mitigating Factors Considered When Calculating HIPAA Fine
OCR considered Lincare's assertion that the CMP should be mitigated because no similar incidents of impermissible disclosures of PHI at any other Lincare operating center had been reported. Taking that into consideration the OCR imposed the minimum penalty amount of $1,000 per day for the violations.
Aggravating Factors Considered When in Imposing Civil Monetary Penalties
Notwithstanding the mitigating factors, the OCR concluded that there were also some aggravating factors. The OCR determined that the amount of time that Lincare continued to follow policies and practices that allowed workforce members to transport PHI away from the operating center without appropriate and reasonable safeguards was an aggravating factor. The OCR also cited Lincare's failure to promptly review and revise its HIPAA policies and procedures regarding physical and administrative safeguards for PHI transported away from the operating center after it was notified of the disclosure of PHI as an aggravating factor.
Calculating the Penalty for HIPAA Violation
The CMP in the amount of $239,800 was determined as follows. Lincare was fined $25,000 for impermissible disclosure of PHI and another $25,000 for failure to safeguard PHI, plus $189,800 for the daily violations of administrative requirements related to policies and procedures.
How to Avoid These HIPAA Violations: The Lessons Learned
There are several lessons to be learned from the Lincare decision.
Lesson #1 - Establish Effective Policies and Procedures for Offsite PHI
Establish effective policies and procedures and training to address PHI removed from the office; gathered in the field, at facilities, or in residential based offices; or accessed remotely. Failure to do so could lead to penalties calculate daily.
Lesson #2 - Establish Effective Policies and Procedures to Track Offsite PHI
Establish effective policies and procedures to track PHI that leaves the office and have in place an effective means to monitor and ensure that all PHI is returned to the office. Failure to do so could lead to penalties calculate daily.
Lesson #3 – Mitigate Risk by Promptly Modifying Policies and Procedures in Response to HIPAA Breaches and Violations
Promptly modify policies and procedures to help ensure that know violations do not recur. Failure to do so could lead to penalties calculate daily, as well as, be a cited as an aggravating factor leading to CMPs.
Lesson #4 – Have a HIPAA Compliant Business Continuity Plan
Make sure storing sensitive information in employees’ vehicle is not a part of your business continuity plan.