An administrative law judge has upheld the authority of the Office for Civil Rights of the Department of Health and Human Services to enforce HIPAA regulations and impose fines, the second time a judge has made such a ruling in OCR’s favor.

The decision means Lincare, a healthcare provider of respiratory care, infusion therapy and medical equipment to in-home patients, will have to pay $239,800 in civil money payments for an incident in which patient records were left unsecure.

In the case, OCR charged that a Lincare employee took 278 patient records home and later left the records in the house after moving to live elsewhere. Another person who had lived in the home with the employee later found the records.

An OCR investigation found that Lincare employees, who provide healthcare services in patients’ homes, regularly removed patient information from the company’s offices. “Further evidence indicated that the organization had an unwritten policy requiring certain employees to store protected health information in their own vehicles for extended periods of time,” the agency reported. “Although aware of the complaint and OCR’s investigation, Lincare subsequently took only minimal action to correct its policies and procedures and strengthen safeguards to ensure compliance with the HIPAA rules.”

OCR reported that Lincare denied violating HIPAA, contending that patients’ protected health information was “stolen” by the individual who found the records in the home. In the ensuing court case, the administrative law judge ruled that Lincare was obligated to take reasonable steps to protect PHI.

Regarding the case, Lincare issued a statement indicating that the case “involved the theft of patient information from a Lincare employee, and criminal charges were filed against the individual who committed the crime. Lincare proactively informed the Office for Civil Rights that patient information had been stolen. Lincare takes its responsibility to patient privacy very seriously, and we follow strict policies and procedures to protect patient information.”

In the other case taken before an administrative law judge, Cignet Health was fined $4.3 million for breaches of patient records that occurred in 2008 and 2009. In that case, 41 patients complained that Cignet Health denied them access to their medical records, which resulted in the case going before an administrative law judge. Cignet did not cooperate in the investigation by refusing to produce records under subpoena records and did not agree to a corrective action plan. OCR obtained a default judgment against Cignet, which then produced the records but made no other attempts to resolve complaints.

OCR regularly works with healthcare organizations that have been breached, making sure they understand their responsibilities under the law and giving guidance on mitigating the breach. Nearly 30 times, however, an investigation of a breach revealed widespread non-compliance that OCR believed to be serious enough to compel a comprehensive corrective action plan and a civil monetary fine on an organization.

"It is difficult for healthcare organizations to prevail in the administrative context, particularly because of the evidence the administrative law judge may consider in rendering a decision."

Now that OCR’s authority to enforce HIPAA and levy fines has been reaffirmed, “this decision signals that it is difficult for healthcare organizations to prevail in the administrative context, particularly because of the evidence the administrative law judge may consider in rendering a decision, which is not controlled by the federal rules of evidence,” says Nancy Bonifant Halstead, a healthcare attorney in the Reed Smith law firm.

When OCR starts an investigation, that is a critical period during which covered entities should demonstrate they take HIPAA obligations seriously and take corrective actions, she advises. OCR, she notes, continues to prefer to handle these issues through voluntary compliance.

Even the most diligent healthcare organizations experience breaches because of human error, so how the investigation turns out depends on how an organization responds to the investigation. Importantly, an investigation is rarely limited to the incident at hand, Halstead warns. “Ultimately, it becomes a de facto audit of the company’s general HIPAA compliance, the results of which determines if there will be any OCR enforcement, formal or informal.”

Register or login for access to this item and much more

All Health Data Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access