Stay ahead of developments in federal and state health care law, regulation and transactions with timely, expert news and analysis.
By Eric Topor
Feb. 4 — Respiratory care provider Lincare will have to pay a $239,800 civil monetary penalty (CMP) imposed by the HHS for failure to safeguard protected health information of 278 patients.
The fine was imposed by the Department of Health and Human Services Office for Civil Rights (OCR), and upheld by an administrative law judge in a January opinion released Feb. 3. The ALJ granted the government summary judgment amid undisputed evidence that Lincare didn't reasonably safeguard the protected health information of its patients, and didn't develop or implement policies and procedures to safeguard PHI while in the custody of employees outside of its offices.
Kirk Nahra, an attorney with Wiley Rein LLP in Washington, told Bloomberg BNA Feb. 4 that the fine “relates to the lack of controls more than the number of people affected.” Nahra also said the OCR usually tries to resolve investigations without going through “a very extensive formal process for a CMP,” and most companies facing OCR investigations “have also found it in their interest to settle without going through this full process.”
The ALJ in the case said Lincare waived its right to contest the amount of the CMP because it didn't raise any “factual or legal basis” in opposition to the amount of the penalty. Nahra said the CMP amount “relates to the lack of controls more than the number of people affected,” and added, “really bad practices affecting a small number of people can lead to big dollars [in fines],” and “strong practices that ultimately also have a large breach can mean no enforcement at all.”
Faith Shaw, a Lincare center manager, moved out of the residence she shared with her husband, Richard Shaw, in 2008. Richard Shaw contacted the OCR and said that Faith Shaw had left PHI for Lincare patients at the home.
The OCR initiated an investigation of Lincare and discovered that Faith Shaw also kept PHI overnight in a vehicle that she and Richard Shaw both had access to. It was undisputed that Richard Shaw didn't have authorization to view the PHI of Lincare patients.
The OCR concluded in a January 2014 notice of proposed determination that Lincare violated HIPAA by impermissibly disclosing the PHI of 278 patients, failing to safeguard PHI in its possession and failing to implement adequate policies and procedures for safeguarding its patients' PHI.
Lincare appealed the OCR's determination, and the OCR in turn moved for summary judgment on the HIPAA violations and the amount of the CMP imposed.
ALJ Carolyn Cozad Hughes said the “undisputed evidence” from the OCR's investigation showed that Lincare failed to take adequate safeguards to protect the disclosure of the PHI of 278 patients. Faith Shaw admitted to OCR investigators that she routinely left PHI in her car despite knowing her husband had access to it.
Lincare claimed that Richard Shaw “stole” the PHI in an attempt to compel his wife to return to the marriage, but Cozad Hughes said those allegations were “unsupported,” and even more damaging to Lincare if they were true. Cozad Hughes said Lincare violated HIPAA when Faith Shaw left PHI in a car that unauthorized persons had access to, and when it failed to take remedial steps after learning of the breach.
Cozad Hughes said that in response to a question of whether Lincare would revise its PHI policies in light of the breach, Lincare's corporate compliance officer stated that the company “considered putting a policy together that said thou shalt not let anybody steal your protected health information.” Cozad Hughes said she “[did] not consider this a serious response.”
Although the nature of Lincare's services necessitated taking patient PHI out of its offices, Cozad Hughes said there was no written policy of how to protect patient PHI while out of the office, as required under HIPAA.
To contact the reporter on this story: Eric Topor in Washington at firstname.lastname@example.org
To contact the editor responsible for this story: Brent Bierman at email@example.com
All Bloomberg BNA treatises are available on standing order, which ensures you will always receive the most current edition of the book or supplement of the title you have ordered from Bloomberg BNA’s book division. As soon as a new supplement or edition is published (usually annually) for a title you’ve previously purchased and requested to be placed on standing order, we’ll ship it to you to review for 30 days without any obligation. During this period, you can either (a) honor the invoice and receive a 5% discount (in addition to any other discounts you may qualify for) off the then-current price of the update, plus shipping and handling or (b) return the book(s), in which case, your invoice will be cancelled upon receipt of the book(s). Call us for a prepaid UPS label for your return. It’s as simple and easy as that. Most importantly, standing orders mean you will never have to worry about the timeliness of the information you’re relying on. And, you may discontinue standing orders at any time by contacting us at 1.800.960.1220 or by sending an email to firstname.lastname@example.org.
Put me on standing order at a 5% discount off list price of all future updates, in addition to any other discounts I may quality for. (Returnable within 30 days.)
Notify me when updates are available (No standing order will be created).
This Bloomberg BNA report is available on standing order, which ensures you will all receive the latest edition. This report is updated annually and we will send you the latest edition once it has been published. By signing up for standing order you will never have to worry about the timeliness of the information you need. And, you may discontinue standing orders at any time by contacting us at 1.800.372.1033, option 5, or by sending us an email to email@example.com.
Put me on standing order
Notify me when new releases are available (no standing order will be created)