Lincare Hit with $240,000 HIPAA Penalty

Posted on Health Care Law News February 14, 2016 by Robert Nicholson

Lincare, a major provider of in-home respiratory care and other services, will pay $238,900 in civil monetary penalties for violating the Health Insurance Portability and Accountability Act (HIPAA), federal authorities announced Wednesday.  The civil monetary penalty was challenged, but now has been upheld by an administrate law judge (ALJ).

The breach involved a Lincare branch in Wynne, Arkansas, doing business as United Medical. Faith Shaw worked as a manager there from October 2005 until July 2009, according to the decision written by ALJ Carolyn Cozad Hughes.  When she left her husband in late 2008, Shaw left behind documents containing the protected health information of 278 patients. The documents had been removed from the company’s office in accordance with Lincare policy, which stated that managers should keep procedures manuals “secured” in their cars as a backup, in case the office were destroyed or inaccessible, according to the ALJ document.

“[Shaw] told the OCR investigator that she kept the documents in her car even though she knew that her husband had keys to the car,” Cozad Hughes wrote. “When she moved out of the marital home in August 2008, she left the documents behind. She also admitted to the OCR investigator that, when she left, she didn’t even know where the car was parked.  Shaw’s husband subsequently contacted Lincare and the OCR to report that he had access to the protected information. Lincare claimed that the documents had been stolen and were being used by Shaw’s husband as part of a ploy to win her back.

The ALJ was not convinced by this defense, however. These allegations against Shaw’s husband were “unsupported” and the whole line of defense was ill-conceived, she wrote.

“Even if I accepted the allegations, Lincare’s ‘defense’ is just as damaging – perhaps even more damaging – than the OCR version of events,” Cozad Hughes wrote. “Under HIPAA, Respondent was obliged to take reasonable steps to protect its [protected health information] from theft. It violated that obligation when Manager Shaw took documents out of the office, left them in places (car or home) accessible to this purportedly untrustworthy and possibly unbalanced individual, and then, apparently without giving a thought to the security of those documents, abandoned them entirely.”

“When asked whether Lincare considered revising its policies to include specific guidelines for safeguarding [protected health information] taken out of its offices, Corporate Compliance Officer Pederson replied that Lincare personnel ‘considered putting a policy together that said thou shalt not let anybody steal your protected health information,’” Cozad Hughes wrote. “I do not consider this a serious response.”

The Florida health care law firm of Nicholson & Eastin, LLP represents medical providers in all phases of administrative, civil and criminal regulatory investigations, including HIPAA privacy rule investigations. If you need assistance with responding to an investigation or evaluating an information breach situation, please contact us for a consultation.