Latest Office of Civil Rights Enforcement Action: Underbed Storage is Not Appropriate for Personal Health Information

[Inga Goddijn <inga () riskbasedsecurity com>]

http://www.natlawreview.com/article/latest-office-civil-rights-enforcement-action-underbed-storage-not-appropriate

Recent enforcement actions by the U.S. Department of Health and Human
Services (“HHS”) Office for Civil Rights (“OCR”) have highlighted that, not
surprisingly, Covered Entities should not leave medical records in a
physician’s
driveway
<http://www.natlawreview.com/article/office-civil-rights-ocr-confirms-medical-records-should-not-be-left-driveway>
and
should not dispose of protected health information (“PHI”) in a dumpster
<http://www.natlawreview.com/article/data-breach-nightmare-scenario-news-affiliate-reports-improper-disposal-patient-info>.
> From an action against a home health care provider announced yesterday, we
can now add to that list the fact that PHI should not be stored under an
employee’s bed or in a kitchen drawer.

Yesterday OCR announced a January 13, 2016 decision by an HHS
Administrative Law Judge (“ALJ”) upholding the imposition of $239,800 in
civil monetary penalties (“CMP”) against Lincare, Inc. (“Lincare”). Lincare
is a home health care company that provides respiratory care, infusion
therapy, and medical equipment from centers located throughout the United
States. The enforcement action stems from a December 2008 complaint by the
estranged husband of a Lincare employee. The husband reported to OCR that
his wife, a center manager for a Lincare center in Arkansas, had moved out
of the home they shared in August 2008. In November 2008, the husband found
PHI of 278 Lincare patients in the home, specifically “under a bed and in a
kitchen drawer.” Further investigation by OCR revealed that the employee
continuously stored PHI in her car and in her home. The investigation also
uncovered the fact that Lincare’s privacy policy did not include policies
or instructions to employees for protecting PHI taken offsite or any type
of logging systems for tracking PHI taken offsite.

OCR attempted to reach a voluntary resolution of the violations with
Lincare, but was unsuccessful. In January 2014, the agency issued a notice
of proposed determination of CMP in the amount of $239,800. The penalties
related to failure to safeguard PHI, impermissible disclosure of PHI, and
failure to implement policies and procedures reasonably designed to ensure
compliance with the Privacy Rule. Lincare appealed the determination to the
ALJ. On January 13, 2016, the ALJ granted OCR’s motion for summary judgment
and sustained the CMP. The Lincare action is only the second time that OCR
has sought CMP for violations of HIPAA. The first was a $4.3 million fine
against Cignet Health
<http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/examples/cignet-health/>
in
2011.

In 2016, while privacy officers and IT specialists lie awake at night
worried about moving healthcare data to the cloud or the threat of
cyberattacks on PHI, it’s easy to forget that protecting PHI can be a
low-tech endeavor as well. The Lincare action highlights the importance of
having robust policies and procedures to protect PHI, particularly for
providers whose employees perform services offsite and must transport PHI
as part of their job functions.

A press release from OCR is available here
<http://www.hhs.gov/about/news/2016/02/03/administrative-law-judge-rules-favor-ocr-enforcement-requiring-lincare-inc-pay-penalties.html>,
along with links to the notice of proposed determination
<http://www.hhs.gov/sites/default/files/Lincare_NPD_remediated.pdf> from
OCR and the ALJ’s opinion
<http://www.hhs.gov/sites/default/files/lincare_decision_remediated.pdf>.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Need access to data breach details or alerts when new breaches happen? Risk Based Security's Cyber Risk Analytics 
portal, fueled by the RBS breach research team, provides detailed information on how data breaches occur and which 
vendors to trust. Contact us today for a demo.