HHS/OCR’s motion to impose civil money penalty on HIPAA violation is granted by administrative judge

Medical records envelope attached to a file-folder with Confidential text, isolated on white

Medical records envelope attached to a file-folder with Confidential text, isolated on white

Lincare, Inc., d/b/a United Medical, supplies respiratory care, infusion therapy, and medical equipment to patients in their homes. The estranged husband of one of its managers complained that his wife allowed him access to the “Protected Health Information” of Lincare patients, even though he was not authorized to see it. Following a lengthy investigation, the Director of the Office for Civil Rights (OCR) determined that Lincare violated the Health Insurance Portability and Accountability Act  (HIPAA) because it did not implement policies and procedures to safeguard records containing its patients’ protected health information (PHI), and it failed to protect against disclosure to unauthorized persons the PHI of 278 of its patients. OCR has proposed a civil money penalty (CMP) of $239,800. OCR moved for summary judgment, which Lincare opposed. Administrative judge agreed that the undisputed evidence establishes that Lincare violated HIPAA and granted OCR’s motion and sustain the $239,800 CMP based on the following 3 key issues:

1. OCR is entitled to summary judgment because the undisputed evidence establishes that Lincare did not reasonably safeguard the PHI of its patients, as required by 45 C.P.R. § 164.530(c), which allowed an unauthorized individual access to that information.

2. OCR is entitled to summary judgment because the undisputed evidence establishes that, in violation of45 C.F.R. § 164.530(i), Lincare failed to develop or implement policies and procedures to protect from disclosure the PHI that staff removed from branch offices.

3. Lincare has waived any challenge to the amount of the proposed penalty.

To learn more about the issue review our the following notice of proposed determination and decision by the administrative judge:

Share this in :
  •  
  •  
  •  
  •  
The following two tabs change content below.
Our mission is to assist healthcare organizations and business associates in the development, design, and implementation of practices to secure IT systems and comply with HIPAA/HITECH privacy, security, breach and enforcement rules by protecting patient health information.