Violate Patient Data Safety At Your Peril, Warns Judge

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.information-management.com/news/security/violate-patient-data-safety-at-your-peril-warns-judge-10028237-1.html

An administrative law judge has upheld the authority of the Office for
Civil Rights of the Department of Health and Human Services to enforce
HIPAA regulations and impose fines, the second time a judge has made such a
ruling in OCR’s favor.

The decision means Lincare, a healthcare provider of respiratory care,
infusion therapy and medical equipment to in-home patients, will have to
pay $239,800 in civil money payments for an incident in which patient
records were left unsecure.

In the case, OCR charged that a Lincare employee took 278 patient records
home and later left the records in the house after moving to live
elsewhere. Another person who had lived in the home with the employee later
found the records.

An OCR investigation found that Lincare employees, who provide healthcare
services in patients’ homes, regularly removed patient information from the
company’s offices. “Further evidence indicated that the organization had an
unwritten policy requiring certain employees to store protected health
information in their own vehicles for extended periods of time,” the agency
reported. “Although aware of the complaint and OCR’s investigation, Lincare
subsequently took only minimal action to correct its policies and
procedures and strengthen safeguards to ensure compliance with the HIPAA
rules.”

OCR reported that Lincare denied violating HIPAA, contending that patients’
protected health information was “stolen” by the individual who found the
records in the home. In the ensuing court case, the administrative law
judge ruled that Lincare was obligated to take reasonable steps to protect
PHI.

Regarding the case, Lincare issued a statement indicating that the case
“involved the theft of patient information from a Lincare employee, and
criminal charges were filed against the individual who committed the crime.
Lincare proactively informed the Office for Civil Rights that patient
information had been stolen. Lincare takes its responsibility to patient
privacy very seriously, and we follow strict policies and procedures to
protect patient information.”

In the other case taken before an administrative law judge, Cignet Health
was fined $4.3 million for breaches of patient records that occurred in
2008 and 2009. In that case, 41 patients complained that Cignet Health
denied them access to their medical records, which resulted in the case
going before an administrative law judge. Cignet did not cooperate in the
investigation by refusing to produce records under subpoena records and did
not agree to a corrective action plan. OCR obtained a default judgment
against Cignet, which then produced the records but made no other attempts
to resolve complaints.

OCR regularly works with healthcare organizations that have been breached,
making sure they understand their responsibilities under the law and giving
guidance on mitigating the breach. Nearly 30 times, however, an
investigation of a breach revealed widespread non-compliance that OCR
believed to be serious enough to compel a comprehensive corrective action
plan and a civil monetary fine on an organization.

Now that OCR’s authority to enforce HIPAA and levy fines has been
reaffirmed, “this decision signals that it is difficult for healthcare
organizations to prevail in the administrative context, particularly
because of the evidence the administrative law judge may consider in
rendering a decision, which is not controlled by the federal rules of
evidence,” says Nancy Bonifant Halstead, a healthcare attorney in the Reed
Smith law firm.


When OCR starts an investigation, that is a critical period during which
covered entities should demonstrate they take HIPAA obligations seriously
and take corrective actions, she advises. OCR, she notes, continues to
prefer to handle these issues through voluntary compliance.

Even the most diligent healthcare organizations experience breaches because
of human error, so how the investigation turns out depends on how an
organization responds to the investigation. Importantly, an investigation
is rarely limited to the incident at hand, Halstead warns. “Ultimately, it
becomes a de facto audit of the company’s general HIPAA compliance, the
results of which determines if there will be any OCR enforcement, formal or
informal.”

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Need access to data breach details or alerts when new breaches happen? Risk Based Security's Cyber Risk Analytics 
portal, fueled by the RBS breach research team, provides detailed information on how data breaches occur and which 
vendors to trust. Contact us today for a demo.