Historic Moment: Husband Reports Wife’s HIPAA Violation Triggering Six Figure Penalty Against Employer

Obermayer Rebmann Maxwell & Hippel LLP

For the second time in history, the Office for Civil Rights (“OCR”) has imposed a civil monetary penalty (“CMP”) against a covered entity for violations of the Health Insurance and Portability Act (“HIPAA”). Lincare, Inc., a provider of respiratory care, infusion therapy, and medical equipment to in-home patients, is required to pay a $239,800 CMP for failure to safeguard its patients’ protected health information (“PHI”) in violation of HIPAA. A U.S. Department of Health and Human Services administrative law judge has upheld the imposition of the CMP and granted summary judgment to OCR on all issues.

OCR began investigating Lincare in 2009 after it received a complaint from Richard Shaw stating that he had found the PHI of 278 patients inside the home that he formerly shared with his wife, Faith Shaw, a Lincare employee. Ms. Shaw, who worked as a manager of an operating center for Lincare, left the PHI in her home when she moved out. In addition, Ms. Shaw routinely kept and maintained PHI in her car, despite her knowledge that her husband, Mr. Shaw, had a key to the car.

The compromised PHI included an emergency procedures manual with the names, addresses, telephone numbers, and emergency contacts of 270 patients. In addition, there were patient assessment and care plans, physician prescriptions, certificates of necessity, and confirmation of orders with names, addresses, telephone numbers, dates of birth, medical symptoms, diagnosis, medical test results, prescriptions, names of physicians, and names of pharmacies for an additional 8 patients.

During its investigation, the OCR found the following:

  • Impermissible Disclosure of PHI: Ms. Shaw impermissibly disclosed PHI in violation of 45 C.F.R. § 164.502(a) by allowing Mr. Shaw access to the PHI either in the car or in their shared home.
  • Failure to Safeguard PHI: Ms. Shaw did not implement appropriate safeguards to protect the PHI from unauthorized use or disclosure in violation of 45 C.F.R. § 164.530(c). She left PHI in her car and abandoned PHI in her home after she moved out.
  • Failure to Implement Appropriate Administrative Policies and Procedures: Lincare failed to implement appropriate policies and procedures to safeguard PHI in violation of 45 C.F.R. § 164.530(i)(1). Employees were permitted to remove PHI from the operating center and maintain it in their vehicles for indefinite periods of time. Lincare did not record or track the movement of PHI or instruct employees how to maintain the PHI in a safe and secure manner.

The administrative law judge, granting summary judgment to OCR, confirmed that the “undisputed evidence establishes that Lincare violated HIPAA because it failed to safeguard the PHI of its patients; a member of its workforce disclosed patient PHI to an unauthorized person; and it lacked policies and procedures reasonably designed to ensure compliance with the Privacy Rule.”

OCR Director Jocelyn Samuels stated that “[w]hile OCR prefers to resolve issues through voluntary compliance, this case shows that we will take the steps necessary, including litigation, to obtain adequate remedies for violations of the HIPAA Rules.” She further stated that “all covered entities, including home health providers, must ensure that, if their workforce members take protected health information offsite, they have adequate policies and procedures that provide for the reasonable and appropriate safeguarding of that PHI, whether in paper or electronic form.”

To read the HHS Press Release, click here.

To read the OCR’s Notice of Proposed Determination, click here.

To read the ALJ’s Opinion, click here.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Obermayer Rebmann Maxwell & Hippel LLP | Attorney Advertising

Written by:

Obermayer Rebmann Maxwell & Hippel LLP

Obermayer Rebmann Maxwell & Hippel LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.