Civil Fine Against Lincare Upheld for HIPAA Violation

BNA’s Health Care Daily Report™ sets the standard for reliable, high-intensity coverage of breaking health care news, covering all major legal, policy, industry, and consumer developments in a...

By Eric Topor

Feb. 4 — Respiratory care provider Lincare will have to pay a $239,800 civil monetary penalty (CMP) imposed by the HHS for failure to safeguard protected health information of 278 patients.

The fine was imposed by the Department of Health and Human Services Office for Civil Rights (OCR), and upheld by an administrative law judge in a January opinion released Feb. 3. The ALJ granted the government summary judgment amid undisputed evidence that Lincare didn't reasonably safeguard the protected health information of its patients, and didn't develop or implement policies and procedures to safeguard PHI while in the custody of employees outside of its offices.

Kirk Nahra, an attorney with Wiley Rein LLP in Washington, told Bloomberg BNA Feb. 4 that the fine “relates to the lack of controls more than the number of people affected.” Nahra also said the OCR usually tries to resolve investigations without going through “a very extensive formal process for a CMP,” and most companies facing OCR investigations “have also found it in their interest to settle without going through this full process.”

The ALJ in the case said Lincare waived its right to contest the amount of the CMP because it didn't raise any “factual or legal basis” in opposition to the amount of the penalty. Nahra said the CMP amount “relates to the lack of controls more than the number of people affected,” and added, “really bad practices affecting a small number of people can lead to big dollars [in fines],” and “strong practices that ultimately also have a large breach can mean no enforcement at all.”

Marital Strife Led to Investigation

Faith Shaw, a Lincare center manager, moved out of the residence she shared with her husband, Richard Shaw, in 2008. Richard Shaw contacted the OCR and said that Faith Shaw had left PHI for Lincare patients at the home.

The OCR initiated an investigation of Lincare and discovered that Faith Shaw also kept PHI overnight in a vehicle that she and Richard Shaw both had access to. It was undisputed that Richard Shaw didn't have authorization to view the PHI of Lincare patients.

The OCR concluded in a January 2014 notice of proposed determination that Lincare violated HIPAA by impermissibly disclosing the PHI of 278 patients, failing to safeguard PHI in its possession and failing to implement adequate policies and procedures for safeguarding its patients' PHI.

Lincare appealed the OCR's determination, and the OCR in turn moved for summary judgment on the HIPAA violations and the amount of the CMP imposed.

‘Undisputed Evidence' Shows Violations

ALJ Carolyn Cozad Hughes said the “undisputed evidence” from the OCR's investigation showed that Lincare failed to take adequate safeguards to protect the disclosure of the PHI of 278 patients. Faith Shaw admitted to OCR investigators that she routinely left PHI in her car despite knowing her husband had access to it.

Lincare claimed that Richard Shaw “stole” the PHI in an attempt to compel his wife to return to the marriage, but Cozad Hughes said those allegations were “unsupported,” and even more damaging to Lincare if they were true. Cozad Hughes said Lincare violated HIPAA when Faith Shaw left PHI in a car that unauthorized persons had access to, and when it failed to take remedial steps after learning of the breach.

Cozad Hughes said that in response to a question of whether Lincare would revise its PHI policies in light of the breach, Lincare's corporate compliance officer stated that the company “considered putting a policy together that said thou shalt not let anybody steal your protected health information.” Cozad Hughes said she “[did] not consider this a serious response.”

Although the nature of Lincare's services necessitated taking patient PHI out of its offices, Cozad Hughes said there was no written policy of how to protect patient PHI while out of the office, as required under HIPAA.

To contact the reporter on this story: Eric Topor in Washington at

To contact the editor responsible for this story: Brent Bierman at