For just the second time in its past, OCR has instructed a HIPAA-covered body to disburse civil fiscal fines for HIPAA infringements. Lincare Inc. is needed to pay $239,800 for breaches of the HIPAA Secrecy Law which were found during the inquiry of a complaint concerning an infringement of 278 patient data.
The Secrecy Law breach – 45 C.F.R. § 164.530(i) – was lately approved by a U.S. Department of Health as well as Human Services Administrative Law Magistrate and the motion for a brief ruling was approved and the judgment to issue civil fiscal fines was maintained.
HIPAA Secrecy Law Breach Exposed by OCR
Lincare Inc., carrying out business as United Medical, runs over 850 medical centers all over the United States, providing medical equipment and respiratory care to patients at its facilities, as well as through medical facilities delivered in-home.
A complaint was recorded with OCR concerning a Lincare worker who abandoned documents having the PHI of 278 patients at one of the places where medical services were provided.
The search by OCR proved that PHI had been taken out from Lincare facilities, revealed to an individual unapproved to see PHI and that the Lincare worker had left the documents. Additionally, the inquiry exposed many HIPAA breaches.
Workers were regularly removing PHI from Lincare places, however, inadequate protections had been set up to keep those data safe. While not a written policy, some workers were known to keep PHI of patients in their automobiles for “lengthy intervals of time,” and this seemed to be ignored by Lincare.
OCR remarked that even after finding out the data infringement and discovering that OCR was probing the case, quite little was done to tackle the security weaknesses and apply more rigorous controls to avoid the revelation of PHI.
As per the case, Lincare argued that HIPAA Laws had not been breached because the documents having patient PHI had been “thieved” by the individual who later reported the HIPAA breach to OCR. The Administrative Law Judge stated no proof could be offered by Lincare that this was the situation. Lincare contended that the plaintiff had thieved the data in an effort to “utilize it as leverage to convince his alienated spouse to return to him.”
As per the ALJ’s Opinion, Manager of Lincare Inc. Faith Shaw taken out patients’ PHI, placed it in places where her spouse had access, and after that dumped those data. The judge stated that nobody at Lincare Inc., including Center Manager Shaw, knew the info was lost until months. It wasn’t believed to be a satisfactory attempt to “sensibly protect” patient PHI.
The judge additionally remarked that when inquired regarding whether Lincare would be revising plans to make sure PHI was better safeguarded, the firm’s corporate compliance officer stated Lincare “had thought to put a policy together that said thou shalt not allow anyone steal your safeguarded health info.”
In the majority of instances, OCR reaches a voluntary accord with protected entities and an agreement is reached to settle possible HIPAA breaches. While it’s unusual for a CMP to be delivered, this penalty shows that OCR will follow actions via the courts and will hold HIPAA-covered entities fiscally responsible for breaching HIPAA Security, Privacy, and Infringement Notification Laws. An accord on a voluntary agreement doesn’t require to be reached.
Second Sub-500-Record Penalty Issued by OCR for HIPAA Breaches
This isn’t the first time OCR has penalized a covered entity for HIPAA breaches discovered after an infringement of less than 500 healthcare reports. In early 2013, the Hospice of North Idaho (HONI) consented to a penalty of $50,000 for a data infringement caused by the thievery of a laptop having the records of 441-patient health records.
The penalties indicate that it’s not the size of the infringement that’s the problem, but the seriousness of the HIPAA breaches that resulted in the revelation of safeguarded health information.