Lincare, Inc., a home health provider, has been ordered to pay $240,000 by the Office for Civil Rights (OCR) for violating the Health Insurance Portability and Accountability Act (HIPAA).
Reports allege that some 278 patients of Lincare had their private information disclosed without their consent. The company's general manager, Faith Shaw, had reportedly left patient files containing Protected Health Information (PHI) in her previous residence after she moved. Shaw's ex-husband had picked up the files and contacted the OCR to notify them of the incident. This prompted the OCR to conduct a thorough investigation of Lincare and its practices to determine whether or not they were in compliance with the HIPAA.
OCR investigators determined that Shaw failed to implement meaningful and appropriate safeguards to prevent the unauthorized disclosure of PHI, as necessary under the HIPAA Privacy Rule. Furthermore, investigators found that Lincare was allowing certain employees to possess PHI at their homes and inside their personal vehicles, which is another HIPAA violation.
But Lincare could have gotten off with just correcting these violations. In a statement by the OCR, it was revealed that the OCR had initially requested that Lincare correct its violations through mitigation. Lincare failed to do so, however, resulting in civil penalties of nearly $240,000.
“While OCR prefers to resolve issues through voluntary compliance, this case shows that we will take the steps necessary, including litigation, to obtain adequate remedies for violations of the HIPAA Rules,” said OCR Director Jocelyn Samuels. “The decision in this case validates the findings of our investigation.”
So, how does Lincare feel about this incident? The home health provider responded by saying the data had been stolen by Shaw; thus, the violation was not caused by the organization but rather a single individual. Nonetheless, the OCR's investigation determined “multiple” violations from within the practice, some of which were the result of Shaw's decision to bring home PHI, while others were not.
The OCR notified Lincare of its decision to pursue a $240,000 civil monetary penalty on January 20, 2016. The company has 30 days from this notice to file an appeal or pay the fine. It's unclear which direction Lincare will take at this time.
This is just one of the many stories involving HIPAA violations stemming from PHI left at a worker's home. When in doubt, leave PHI at your workplace to avoid headaches such as this.