An administrative law judge ruled that respiratory- and infusion-care provider Lincare must pay $239,800 for failing to safeguard patient information. The case marks the second time in eight years HHS has extracted a penalty for a privacy violation through litigation rather than a negotiated settlement.
The decision stems from an investigation of a complaint that a Lincare employee had moved, leaving behind documents containing federally protected healthcare records of 278 patients.
According to HHS' Office for Civil Rights, “Lincare had inadequate policies and procedures in place to safeguard patient information that was taken off-site, although employees, who provide healthcare services in patients' homes, regularly removed material from the business premises.”
The Office for Civil Rights also said Lincare had an "unwritten policy" requiring certain employees to keep patient records in their own vehicles for extended periods of time and took only minimal corrective actions even after learning of the agency's complaint and investigation.
Lincare Holdings, based in Clearwater, Fla., is a subsidiary of the German company Linde Group, a manufacturer of, among other things, various gases for healthcare and industrial uses. Lincare and Linde did not immediately respond to requests for comment.
Since 2008, there have been 30 Office for Civil Rights investigations of privacy and security rule violations that have led to monetary payments, according to the agency's website. Most have ended in negotiated settlements.
In 2011, however, the office went after Cignet Health of Prince George's County, Md., for refusing to supply several of its patients with copies of their records and sought a $4.3 million civil monetary penalty. That case eventually went to court. Cignet lost and was ordered to pay nearly $4.8 million.