Lincare Holdings, based in Clearwater, Fla., was recently hit with a $239,800 penalty due to violating the HIPPA privacy rule. This marks only the second time that the U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) has charged civil monetary penalties for HIPAA violations. The decision was received by Lincare attorneys on January 20th, and they were given 30 days to file a notice of appeal. The OCR stated, “Lincare had inadequate policies and procedures in place to safeguard patient information that was taken off-site, although employees, who provide healthcare services in patients’ homes, regularly removed material from the business premises.”
The failure to safeguard patient information involved Faith Shaw of Arkansas who worked as a manager there from October 2005 until July 2009. Ms. Shaw was in the process of leaving her husband and moving, and she allegedly left the documents behind in a vehicle. These documents contained health information on 278 patients. Her husband notified Lincare and the OCR. While Lincare claimed the records were stolen by the husband who discovered them on the premises previously shared with the Lincare employee, the judge in the case said the allegations were unsupported.
OCR pointed out that even after finding the patient record breach and finding out that OCR was investigating, little was done to address the vulnerabilities due to poor procedures and little was done to implement more demanding regulations to prevent the breach from happening again. Since 2008, there have been 30 OCR investigations of privacy and security rule violations that have led to monetary payments.