In an unusual scenario, in fact, only the second time in history, the Office for Civil Rights (OCR) was successful before an Administrative Law Judge (ALJ) in obtaining an order for the payment of civil monetary fines as a result of HIPAA violations.

The OCR assessed a penalty of $240,000 against Lincare Holdings, Inc. (Lincare) for failing to safeguard the PHI of 270 patients. Lincare appealed the assessment to an ALJ The case stemmed from a complaint of the ex-husband of an employee of Lincare, who reported to Lincare and the OCR that his ex-wife has left PHI of patients of Lincare in a car that she left with him. He was not authorized to access or view the PHI.

At the time, employees were allowed to take PHI from the premises and were ordered to keep copies of documents in their car in the event that something happened to the building. The judge stated that the company had no policies or procedures to monitor or provide for the security of the documents. She further held that Lincare failed to take reasonable steps to protect the PHI.

Following the decision, the OCR stated: “…all covered entities, including home health providers, must ensure that, if their workforce members take protected health information offsite, they have adequate policies and procedures that provide for the reasonable and appropriate safeguarding of that PHI, whether in paper or electronic form.”

This is another example of PHI being left in a car and either lost or stolen, with devastating consequences. Companies that allow employees to take PHI offsite may wish to review and implement travel policies and encryption technology for removable media.