Home health care provider Lincare, Inc. must pay $239,800 in civil monetary penalties for violations of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Privacy Rule, according to a February 3, 2016 press release from the U.S. Department of Health and Human Services (“HHS”). The announcement follows a January 13, 2016 administrative ruling granting summary judgment in favor of the HHS’s Office for Civil Rights (“OCR”). This is only the second time that OCR has sought civil monetary penalties for a HIPAA violation; OCR typically resolves violations through undertakings for voluntary compliance.

Lincare, a nationwide provider of respiratory care, infusion therapy, and medical equipment to in-home patients, came under investigation in 2008 after OCR received a complaint from the estranged husband of an Arkansas-based Lincare employee. Based on a subsequent investigation by OCR, OCR alleged that the employee routinely left documents containing 278 patients’ protected health information (“PHI”) in unsecure locations, such as the couple’s shared car and home. It was undisputed that the employee’s husband was not authorized to view the PHI. Moreover, according to OCR, the employee abandoned the documents altogether after moving residences.

In January 2014, after concluding the lengthy investigation, OCR cited Lincare for three violations of HIPAA’s Privacy Rule, which sets standards for the use and disclosure of protected health information. OCR issued corresponding civil monetary penalties for each alleged violation: (1) $25,000 for impermissible disclosure of PHI; (2) $25,000 for failure to safeguard PHI; and (3) $189,800 for insufficient policies and procedures related to the removal of PHI from business premises. In calculating penalties, OCR took into account that Lincare neglected to review and revise its HIPAA policies after learning about the complaint.

On appeal, Administrative Law Judge (“ALJ”) Carolyn Cozad Hughes granted summary judgment in favor of OCR after concluding that, based on the “undisputed evidence,” Lincare violated HIPAA’s Privacy Rule. Specifically, the ALJ found that Lincare failed to safeguard the PHI of patients; a Lincare employee disclosed patient PHI to an unauthorized individual; and Lincare lacked policies and procedures designed to ensure compliance with the Privacy Rule. Lincare waived any challenge to the penalty amount, and the ALJ sustained OCR’s proposed civil monetary penalties of $239,800. Lincare has 30 days to file a notice of appeal with the Appellate Division of the HHS Departmental Appeals Board.

Reporter, Bailey J. Langner, San Francisco, +1 415 318 1214, blangner@kslaw.com.