Letting employees keep protected health information in a car overnight, without specifying reasonable physical or administrative safeguards, violates federal health information privacy standards, according to an administrative law judge at the U.S. Department of Health and Human Services (HHS).
See also: Hey: Yes, the NAIC is talking to you
The judge, Carolyn Cozad Hughes, has ruled that a home health care company center that let a manager keep patients’ health records in her car overnight, without giving her any security instructions other than to keep the records on the floor of the car, violated Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule standards.
The judge has ruled that the company, Lincare, should pay $239,800 in civil monetary penalties, as proposed by the HHS Office for Civil Rights (HHS OCR), according to an HHS OCR notice sent to Lincare.
Representatives from Lincare were not immediately available to comment.
The husband of a woman who managed a Lincare home health care center in Arkansas filed an HHS OCR complaint in December 2008. In the complaint, he asserted that he found the records of 278 Lincare patients in his home, under a bed and in a kitchen drawer, after his wife moved out, and that he told Lincare about the matter in November 2008.
The wife also kept the patient information in her car, and the complainant had keys to the car, according to HHS OCR.
Lincare knew that employees in the Arkansas center regularly took patient information off premises, and it did not track transport of the information or take reasonable steps to enforce compliance with its health information protection policies, according to HHS OCR.
Lincare asserted that the husband had the information because he stole it. The judge found that this defense was not a good defense, because the company has an obligation under HIPAA to take reasonable steps to protect health information from theft.
The judge approved an HHS OCR recommendation that Lincare pay $25,000 for disclosing health information, $25,000 for failing to safeguard the information, and $189,000 for not taking adequate steps to review and revise its HIPAA policies and procedures after it learned about the disclosure of the information.
Are you following us on Facebook?