Lincare, Inc., d/b/a United Medical, supplies respiratory care, infusion therapy, and medical equipment to patients in their homes. The estranged husband of one of its managers complained that his wife allowed him access to the “Protected Health Information” of Lincare patients, even though he was not authorized to see it. Following a lengthy investigation, the Director of the Office for Civil Rights (OCR) determined that Lincare violated the Health Insurance Portability and Accountability Act (HIPAA) because it did not implement policies and procedures to safeguard records containing its patients’ protected health information (PHI), and it failed to protect against disclosure to unauthorized persons the PHI of 278 of its patients. OCR has proposed a civil money penalty (CMP) of $239,800. OCR moved for summary judgment, which Lincare opposed. Administrative judge agreed that the undisputed evidence establishes that Lincare violated HIPAA and granted OCR’s motion and sustain the $239,800 CMP based on the following 3 key issues:
1. OCR is entitled to summary judgment because the undisputed evidence establishes that Lincare did not reasonably safeguard the PHI of its patients, as required by 45 C.P.R. § 164.530(c), which allowed an unauthorized individual access to that information.
2. OCR is entitled to summary judgment because the undisputed evidence establishes that, in violation of45 C.F.R. § 164.530(i), Lincare failed to develop or implement policies and procedures to protect from disclosure the PHI that staff removed from branch offices.
3. Lincare has waived any challenge to the amount of the proposed penalty.
To learn more about the issue review our the following notice of proposed determination and decision by the administrative judge:
Latest posts by EHR 2.0 (see all)
- Trump Administrations’ Effect on Healthcare Organizations - January 23, 2017
- HIPAA Fine for Lack of Timely Breach Notification - January 11, 2017
- HIPAA Compliance 2016 Year in Review - January 9, 2017