Compliance , HIPAA/HITECH

OCR Slaps Home Health Provider with Penalty

Federal Regulator Say Lincare Took Inadequate Steps After HIPAA Investigation
OCR Slaps Home Health Provider with Penalty

Federal regulators took action this week to hammer home an important point: If a healthcare organization fails to take action to resolve security issues after a HIPAA investigation, it can face a substantial penalty.

See Also: Key Cybercrime Trends in 2016

For only the second time, regulators imposed a civil monetary penalty in a case involving egregious violations of HIPAA.

The Department of Health and Human Services' Office for Civil Rights, which enforces HIPAA, says an HHS administrative law judge has granted a summary judgment requiring Lincare Inc., a provider of respiratory care, medical equipment and other services to in-home patients, to pay a $239,800 civil monetary penalty.

OCR generally imposes a civil monetary penalty only in those cases that involve a lack of cooperation with investigators or the failure to take recommended steps to correct security deficiencies. In more than two dozen HIPAA enforcement actions without such penalties, OCR has reached voluntary resolution agreements containing financial settlements of widely varying amounts as well as corrective action plans.

The HIPAA enforcer issued its first civil monetary penalty in 2011 against Cignet Health for violations of the HIPAA Privacy Rule. Cignet, which operates four clinics in Maryland, was fined $4.3 million for the violations that involved failing to provide 41 patients with access to their medical records and then failing to cooperate with federal investigators. So far, Cignet hasn't paid its penalty. "OCR is pursuing this collection," a spokeswoman for the office tells Information Security Media Group.

Lincare Case Details

OCR's investigation of Clearwater, Fla.-based Lincare - which has 850 locations in 48 states - began after an individual complained in December 2008 that a Lincare employee left behind documents containing the PHI of 278 patients after moving to a new residence, OCR says in its "notice of proposed determination."

"Evidence established that this employee removed patients' information from the company's office, left the information exposed in places where an unauthorized person had access and then abandoned the information altogether," OCR says.

Over the course of the investigation, OCR found that Lincare had inadequate policies and procedures in place to safeguard patient information that was taken offsite, although employees, who provide healthcare services in patients' homes, regularly removed material from the business premises.

"Further evidence indicated that the organization had an unwritten policy requiring certain employees to store PHI in their own vehicles for extended periods of time," OCR says. "Although aware of the complaint and OCR's investigation, Lincare subsequently took only minimal action to correct its policies and strengthen safeguards to ensure compliance with the HIPAA rules."

Although OCR prefers to resolve issues through voluntary compliance, "this case shows that we will take the steps necessary, including litigation, to obtain adequate remedies for violations of the HIPAA rules," says OCR Director Jocelyn Samuels. "The decision in this case validates the findings of our investigation."

According to the HHS administrative law judge's ruling, all covered entities, including home health providers, must ensure that if their workforce members take PHI offsite, they have adequate policies and procedures that provide for the reasonable and appropriate safeguarding of that PHI, whether in paper or electronic form, OCR says.

OCR says Lincare claimed that it had not violated HIPAA because the PHI was "stolen" by the individual who discovered it in the residence previously shared with the Lincare employee. "The ALJ [administrative law judge] rejected this argument, in agreement with OCR, that under HIPAA, Lincare was obligated to take reasonable steps to protect its PHI from theft," OCR says.

Settlement vs. Civil Monetary Penalties

It's up to OCR's discretion whether it seeks a civil monetary penalty from an organization being investigated for potential HIPAA violations, based on their cooperation with authorities as well as their efforts to resolve security issues, says privacy attorney Kirk Nahra of the law firm Wiley Rein LLP.

"The question of whether CMPs are pursued is mostly an issue of how the company being investigated behaves," he says. "It is in OCR's interest to be able to resolve situations to its satisfaction without going through the formal enforcement process, and most companies so far have also found it in their interest. It is analogous to why most cases settle before they go to trial - it is expensive and time consuming and burdensome and risky to go to trial. If you can reach a good settlement, you settle."

Whenever possible, OCR prefers voluntary compliance and cooperation, says privacy attorney David Holtzman, vice president of compliance at the security consulting firm CynergisTek, and former adviser at OCR. "Levying civil money penalties is the remedy of last resort in OCR's tool belt for actions under the HIPAA Enforcement Rule," he says. "It requires OCR and other parts of HHS to expend significant administrative and legal resources to bring the covered entity to justice. And that is antithetical to OCR's progressive approach to enforcement that values the covered entity to take corrective action to address their HIPAA privacy or security compliance issues."

The Lincare penalty doesn't necessarily signal that more such civil monetary penalties are coming soon from OCR, Nahra adds. "I don't see this as anything other than this company decided to fight, for whatever reason. I don't think there's any particular lesson to be learned from the fact that this was a CMP case - expect perhaps that OCR is prepared to fight when it needs to."

Lessons Learned

The case, like other OCR investigations, highlights the necessity to safeguard protected health information, regardless of where it resides, Nahra says. "It should remind companies about how important it is to control paper records as well as electronic information," he says. "The fine relates to the lack of controls more than the number of people affected. The number of people is one factor, but really bad [security] practices affecting a small number of people can lead to big dollar [penalties]."

The takeaways from the Lincare case, Holtzman says, "should be that OCR investigations are extremely thorough and seek to develop the evidence necessary to withstand judicial review. And in this matter, the record shows that OCR allowed the covered entity repeated opportunities over a number of years to address that the organization had not put into place even the most basic of policies and processes to safeguard the PHI of its patients and clients. For whatever reason, the management and leadership appeared to be tone deaf to the calls for change that OCR was giving them over and over again."

Lincare did not immediately reply to ISMG's request for comment.

This is not the first time the company has faced federal penalties. For example, in 2006, Lincare Holdings Inc., and its subsidiary, Lincare Inc. agreed to pay the federal government $10 million and to enter into a five-year companywide corporate integrity agreement in a case involving allegations that Lincare violated the anti-kickback provisions of the Civil Monetary Penalties Law and the Physician Self-Referral Law, according to the HHS Office of Inspector General.

About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity

Marianne Kolbasuk McGee is executive editor of Information Security Media Group's media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site, and played a lead role in the launch of InformationWeek's healthcare IT media site.

Around the Network