For the second time in history, on January 13, 2016, an Administrative Law Judge (ALJ) upheld the imposition of civil money penalties charged against a covered entity by the Office of Civil Rights in the Department of Health and Human Services (OCR) for violations of the Health Insurance Portability and Accountability Act of 1996, as amended (HIPAA). Typically, covered entities cooperate with OCR and enter into a resolution agreement that indicates the covered entities potentially violated HIPAA (sometimes with the payment of a resolution amount). However, Lincare refused to settle and took the position that it had not violated HIPAA because the protected health information (PHI) was “stolen” by a former employee. Evidence established that Lincare had a practice of requiring its employees to keep patient information “secured” in their vehicles so that if an office was destroyed, they still had access to the PHI. In this situation, the employee left the PHI in a car to which her husband had the keys – and then left it behind when she moved out of their marital home. The husband informed Lincare and OCR that he had the PHI in his possession. Lincare argued that the husband stole the PHI in an attempt to induce his estranged wife to return to him. The ALJ found that was no defense and stated that “under HIPAA, Respondent [Lincare] was obligated to take reasonable steps to protect its PHI from theft.” In the absence of an appeal by Lincare, Lincare now owes civil money penalties of $239,800 due to its violations of HIPAA.
You can read the ALJ’s opinion here and the OCR press release here.