The latest development in a Health Insurance Portability and Accountability Act (HIPAA) breach investigation should serve as a reminder that fines are not the only way the government can punish a healthcare institution for failing to protect patient information. Civil penalties are possible, and the courts are upholding their legality.
In addition, the case is demonstrating that inquiries by the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) should be taken seriously from the outset.
An HHS administrative law judge (ALJ) recently ruled that Lincare, a provider of respiratory care, infusion therapy, and medical equipment to in-home patients, with more than 850 branch locations in 48 states, violated HIPAA and granted summary judgment to the OCR on all issues. The ruling requires Lincare to pay $239,800 in civil monetary penalties imposed by OCR. This is only the second time in its history that OCR has sought civil monetary penalties for HIPAA violations, and each time the penalties have been upheld by the ALJ.
OCR’s investigation of Lincare began after an individual complained that a Lincare employee left behind documents containing the protected health information (PHI) of 278 patients after moving residences. Evidence established that this employee removed patients’ information from the company’s office, left the information exposed in places where an unauthorized person had access, and then abandoned the information altogether, according to OCR.
During the investigation, OCR found that Lincare had inadequate policies and procedures to safeguard patient information that was taken offsite, although employees, who provide healthcare services in patients’ homes, regularly removed material from the business premises. Further evidence indicated that the organization had an unwritten policy requiring certain employees to store PHI in their own vehicles for extended periods of time, according to the OCR report. Although aware of the complaint and OCR’s investigation, Lincare subsequently took only minimal action to correct its policies and strengthen safeguards to ensure compliance with the HIPAA rules, OCR told the court.
“While OCR prefers to resolve issues through voluntary compliance, this case shows that we will take the steps necessary, including litigation, to obtain adequate remedies for violations of the HIPAA Rules,” OCR Director Jocelyn Samuels said in a statement released after the ALJ decision. “The decision in this case validates the findings of our investigation. Under the ALJ’s ruling, all covered entities, including home health providers, must ensure that, if their workforce members take protected health information offsite, they have adequate policies and procedures that provide for the reasonable and appropriate safeguarding of that PHI, whether in paper or electronic form.”
Lincare claimed that it had not violated HIPAA because the PHI was “stolen” by the individual who discovered it on the premises previously shared with the Lincare employee. The ALJ rejected this argument and said Lincare was obligated to take reasonable steps to protect its PHI from theft. (The Notice of Proposed Determination and the ALJ’s opinion may be found on the HHS website at http://1.usa.gov/1P6APVD.) The company could appeal to one more level but has not indicated it will do so.
OFF-SITE EMPLOYEES
The case holds important lessons for any company that needs employees to work remotely with PHI, notes Christine G. Savage, JD, an attorney with the law firm of Choate Hall and Stewart in Boston. The employers should conduct or update a risk analysis to determine the biggest risks for HIPAA violations with these off-site employees, and they should instill appropriate policies and procedures, she says.
“Lincare did not have any policies and procedures in 2008, and at least the first half of 2009, that addressed how people were to safeguard information when they took it off site,” Savage explains. “There were no policies about how to check data in and out, or to record how long you had possession of the information. There was no policy on the appropriate storage of that material if you couldn’t get it back to the office at the end of the day.”
The Lincare case also indicates that OCR is concerned not only with the number of people affected by a breach, but also the nature of the breach, Savage notes. OCR determined that 278 patients’ PHI was compromised.
Most of the civil monetary penalty relates to the lack of policies and OCR’s claim that Lincare did nothing to enact policies even after the deficit was brought to company’s attention. Savage says this penalty is a reminder to take seriously any concerns of this type coming from the government. If OCR says your policies are inadequate or you haven’t conducted a risk analysis, and you don’t do anything in response, regulators are likely to look on the violations as more serious and look to civil monetary penalties to get your attention, she says. A slow or less-than-enthusiastic response may end with the same result.
Evidence cited in the ALJ decision suggests that the Lincare chief compliance officer was flippant in responding to OCR. The compliance officer replied to OCR by saying something to the effect of “we thought about putting in place a policy that you shouldn’t let anybody steal your stuff,” but found it unnecessary. OCR offered to settle the case, but Lincare refused a voluntary resolution, which typically involves a corrective action plan including a period of monitoring.
“Some of it may have been an attitudinal issue with regard to this particular company, which obviously isn’t helpful,” Savage says. “They may have made a calculated decision that OCR wouldn’t pursue it to this level.”
Lincare’s position was that it was the victim in this case because the patient records were stolen, notes Roy Wyman, JD, partner with the law firm of Nelson Mullins in Nashville, TN. That position may explain some of the company’s response, or lack of response, to the OCR inquiry, Wyman says.
One lesson from the case is that in addition to protecting PHI and having proper policies and procedures, you also must be prepared to demonstrate that you care about privacy if OCR ever comes calling, he says. Whether you think the breach was your fault or not, start out by conveying that you take seriously any suggestion that your HIPAA compliance program may be inadequate.
You still can make the argument later that OCR is misinterpreting the circumstances or try to prove that your policies and procedures were sufficient, but Wyman says the Lincare experience demonstrates that you must start off on the right foot with OCR. Wyman notes that OCR’s arguments before the ALJ suggest that it was not going to come down too hard on the fact that employees were driving around with physical records, and that it was willing to acknowledge that securing those documents was difficult.
“In the end, the message is that you can’t be combative and respond with a litigious attitude right from the start,” Wyman says. “They could have settled and probably should have. Sometimes you need to take your lumps and accept it. That seems to be where Lincare had a problem, saying they weren’t at fault and willing to take it to the limit.”
Savage points out that the person who found the PHI was the Lincare employee’s husband. The couple was splitting up, and after the employee left the home, her husband found the patient information and reported it. One explanation for Lincare’s apparently inadequate response could be that the company leaders thought they were being drawn into an employee’s divorce and personal life, with the husband reporting the find to cause trouble for his wife and the company.
“They may have thought this was much ado about nothing and found several years later that OCR took it seriously,” Savage says. “I would never advise that if OCR expresses concern about your policy, that you leave that policy alone. You should be asking what you need to do to tweak it, or have a discussion with OCR about why you think you don’t need to.”
