The Office of Civil Rights (“OCR”), a division of the Department of Health and Human Services, recently took the rare step of imposing civil monetary penalties against a large home health provider for violating the Health Insurance Portability and Accountability Act (“HIPAA”), highlighting the importance of developing written policies that meet the realities of how and where employees use documents with patients’ personal health information (“PHI”).
A Lesson in Safeguarding PHI
HIPAA creates privacy rights and protections for consumers of health services. To ensure these rights are protected, entities that possess and transmit PHI, defined as “covered entities,” are required to safeguard that information. Lincare provides respiratory care, infusion therapy and medical equipment to in-home patients. Because Lincare employees often travelled to patients’ homes, they routinely had to take protected health information into the field to perform their duties. However, Lincare also had a practice of requiring its employees to keep copies of documents containing PHI in their vehicles so that they could access the information if the physical office were destroyed or otherwise made inaccessible. These practices are not, in and of themselves, HIPAA violations. However, Lincare was required to develop and implement policies and procedures, in either written or electronic form, reasonably designed to protect its patients’ PHI while those documents were out of the office.
The problem is this case arose when a Lincare employee kept documents with PHI in her car even though she knew that her husband had keys to the car. The employee and her husband had a falling out. The employee moved out of her home and left her car – and the documents – behind. Months later, the husband reported to Lincare and the OCR that he had the documents. The OCR investigated and found that, while Lincare had a written policy designed to safeguard PHI within its offices, it did not have a policy addressing PHI taken into the field. Accordingly, OCR concluded that Lincare violated HIPAA and imposed a penalty of nearly $240,000.
Lincare contested the penalty to an Administrative Law Judge (“ALJ”), offering the defense that it was a victim of theft. Lincare claimed that the employee’s husband stole the documents and reported them to Lincare and OCR in an attempt to induce his estranged wife to return to him. The ALJ found this to be an ill-conceived defense because, assuming Lincare’s version of the breach were true, it was more damaging to their case. The ALJ noted that HIPAA required Lincare to take reasonable steps to protect PHI from theft and the alleged theft in this case only highlighted the fact that Lincare failed to adopt any policies and procedures to safeguard PHI taken into the field. Accordingly, the ALJ upheld the OCR’s penalty.
For covered entities, this case illustrates the importance of assessing the realities of how and where your employees use PHI. In a perfect world, PHI would never leave the safety of a locked file cabinet. In reality, employees often need to take PHI outside of the safety of the file cabinet or even the office to perform their duties. If a covered entity does not adopt written policies and procedures to address the realities of how and where PHI is being used, they may be risking significant civil penalties.
Original Content by JDSupra Business Advisor