Letting employees keep protected health information in a car overnight, without specifying reasonable physical or administrative safeguards, violates federal health information privacy standards, according to an administrative law judge at the U.S. Department of Health and Human Services (HHS).
See also: Hey: Yes, the NAIC is talking to you
The judge, Carolyn Cozad Hughes, has ruled that a home health care company center that let a manager keep patients’ health records in her car overnight, without giving her any security instructions other than to keep the records on the floor of the car, violated Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule standards.
The judge has ruled that the company, Lincare, should pay $239,800 in civil monetary penalties, as proposed by the HHS Office for Civil Rights (HHS OCR), according to an HHS OCR notice sent to Lincare.
Representatives from Lincare were not immediately available to comment.
The husband of a woman who managed a Lincare home health care center in Arkansas filed an HHS OCR complaint in December 2008. In the complaint, he asserted that he found the records of 278 Lincare patients in his home, under a bed and in a kitchen drawer, after his wife moved out, and that he told Lincare about the matter in November 2008.
The wife also kept the patient information in her car, and the complainant had keys to the car, according to HHS OCR.