Liles Parker PLLC
(202) 298-8750 (800) 475-1906
Washington, DC | Houston, TX
San Antonio, TX | Baton Rouge, LA

We Defend Healthcare Providers Nationwide in Audits & Investigations

Home Health HIPAA Violation Costs $239,800!

March 30, 2016 by  
Filed under Home Health & Hospice

HIPAA Violation(March 29, 2016) Lincare, Inc., a provider of respiratory care, infusion therapy and medical equipment to in-home patients, will pay $239,800 in Civil Money Penalties (CMPs) for violating the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule after a HHS Administrative Law Judge (ALJ) ruled in favor of the Office for Civil Rights (OCR).  This is only the second time in its history that OCR has sought CMPs for HIPAA violations and both times the CMPs have been upheld by the ALJ.

OCR’s investigation of Lincare began after an individual, who was the estranged husband of a Lincare employee, complained that she had left behind documents containing the protected health information (PHI) of 278 patients after she had moved out of their residence.  The Lincare employee kept documents containing patient PHI in her car while her husband had keys to the car and left documents behind in the home after moving.  Lincare did not learn the documents were missing until months later, when the employee’s estranged husband reported to Lincare and OCR, that he had the documents containing PHI in his possession.

I.  Lincare Was Alleged to Have Not Properly Safeguard PHI:

Under HIPAA, all covered entities, including home care providers, must protect the privacy rights of the PHI of those it treats and, in response, HHS implemented a “Privacy Rule,” which sets the standards for protecting PHI and requires covered entities to not disclose PHI and “must reasonably safeguard” PHI from “any intentional or unintentional use or disclosure that is in violation of the standards, implementation specifications or other requirements.”

Over the course of the investigation, OCR found that Lincare had inadequate policies and procedures to safeguard patient information that was taken offsite, although its employees, who provide health care services in patients’ homes, regularly removed material from the business premises. Lincare had instructed its managers to maintain copies of the procedures manual “secured” in their vehicles so that company employees would have access to patient contact information if a center office were destroyed or became inaccessible.

The ALJ held that Lincare failed to develop and implement policies and procedures reasonably designed to protect its patients’ PHI while those documents were out of the office.

Under the ALJ’s ruling, all covered entities must ensure that, if their workforce members take protected health information offsite, they have adequate policies and procedures that provide for the reasonable and appropriate safeguarding of that PHI, whether in paper or electronic form.

Lincare claimed that it had not violated HIPAA because the PHI was “stolen” by the individual who discovered it on the premises previously shared with the Lincare employee.  The ALJ rejected this argument, holding that under HIPAA, Lincare “was obligated to take reasonable steps to protect its PHI from theft.”

The court noted that even after Lincare learned of the breach, it took no steps to prevent further disclosure of PHI and its managers “did not seem to recognize they had a significant problem protecting PHI that was removed from the office.”

When asked whether Lincare had considered revising its policies to include specific guidelines for taking PHI out of its offices, the Corporate Compliance Officer responded that it had “considered putting a policy together that said thou shalt not let anybody steal your protected health information.”  Since sarcasm is seldom appreciated in a courtroom, the ALJ did not “consider this a serious response.”

II. Lincare Was Alleged to Have Failed to Develop or Implement Appropriate Policies and Procedures to Prevent the Improper Disclosure of PHI:

The ALJ held that providers must develop and implement adequate policies and procedures reasonably designed, taking into account the size and the type of activities undertaken by the covered entity to ensure compliance and again noted that such policies and procedures must be maintained “in written or electronic form.”

While Lincare had a written privacy policy that addressed maintaining records within the center offices, “no written policy even addressed staff’s protecting PHI that was removed from the offices.”

Lincare even revised its policies after it learned of the unauthorized disclosure but the revisions provided “no guidance to employees required to remove documents from the office’s secured storage space.”  Poorly written policies, as here, that are overly broad and provide “no usable guidance to employees,” do not satisfy the Privacy Rule requirements.

Lincare further claimed that it satisfied the HIPAA requirements because its employees were trained in privacy policies and “understood those policies, practices and procedures.”  The ALJ rejected that contention, holding that “even if training were flawless…staff training does not compensate for missing policies.  In addition to having policies and procedures in place, the covered entity must train all members of its workforce.”

In conclusion, it is imperative for all health care providers that provide services to patients outside of an institutional or clinical setting to develop and implement adequate policies and procedures, in written or electronic form, that are reasonably designed and specifically address the “type of activities,” such as protecting PHI “off-site,” to ensure compliance with the Privacy Rule.

HIPAA ViolationAnthony Cutrona, Esq. is a health law attorney with Liles Parker, Attorneys & Counselors at Law.  Liles Parker has offices in Washington DC, Houston TX, San Antonio, TX, McAllen TX and Baton Rouge LA.  Our attorneys represent home health agencies, physicians, dentists, orthodontists and other health care professionals around the country in connection with government audits of Medicaid and Medicare claims, licensure matters and transactional projects. Need assistance?  For a free consultation, please call: 1 (800) 475-1906.

Dermatology Practice HIPAA Breach Results in Settlement with OCR

taking aim stethoscope(December 30, 2013):  A Concord, Massachusetts dermatology practice has agreed to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy, Security, and Breach Notification Rules with the Department of Health and Human Services (HHS).  The settlement is notable because it follows an investigation by the HHS Office for Civil Rights (OCR) into the practice after it voluntarily disclosed a data breach affecting patient health information.  Importantly, the dermatology practice HIPAA breach was reportedly the first case handled by OCR where the provider did not have the required HITECH policies and procedures in place to help the practice avoid the breach.

I.  The HIPAA Breach Notification Rule Requirements:

On January 17, 2013, HHS issued its final HIPAA Omnibus Rule[1], which affected many aspects of the privacy rule. The Omnibus Rule became effective on March 26, 2013, and HIPAA covered entities and business associates had to comply with its requirements no later than September 23, 2013. The rule comprised four final rules, which included a modification to the interim final rule for Breach Notification for Unsecured Protected Health Information[2] (the “Breach Notification Rule”).  The new Omnibus Rule strengthened the Breach Notification Rule with more objective standards, such as replacing its harm threshold for breach notification with a default presumption that a breach is any acquisition, access, use, or disclosure of protected health information (PHI) that violates the HIPAA Privacy Rule.

Furthermore, under the Health Information Technology for Economic and Clinical Health Act (“HITECH”), covered entities must make mandatory notifications to affected individuals, the Secretary HHS, and, in certain circumstances, the media in the event of a breach of unsecured PHI.

For individuals, the notifications must be provided without unreasonable delay and in no case later than 60 days following the discovery of the breach. The notification must include, to the extent possible, a description of the breach, a description of the type(s) of information that was involved in the breach, the steps affected individuals should take to protect themselves from potential harm, a brief description of what the covered entity is doing to investigate the breach, mitigate the harm, and prevent future breaches. If the breach affects more than 500 resident of a State or jurisdiction, the covered entity must also provide notice to prominent media outlets serving the State or that jurisdiction. Finally, covered entities must notify the Secretary HHS of breaches of unsecured PHI through the HHS web site.  If the breach affects 500 or more individuals, this notice to the Secretary must be made without unreasonable delay and in no case later than 60 days following a breach.

II.  Dermatology Practice Voluntarily Discloses a Breach:

The Massachusetts dermatology practice at issue is a private practice that delivers dermatology services in four locations in Massachusetts and two in New Hampshire. On October 7, 2011, the provider reported to HHS a breach of its unsecured electronic PHI (ePHI). The breach occurred after an unencrypted thumb drive, which stored ePHI regarding surgeries of approximately 2,200 individuals, was stolen from a staff member’s car. The thumb drive was never recovered.

Following proper HIPAA Breach Notification rules, the provider notified its patients within 30 days of the theft and provided notice to the local media. On November 9, 2011, HHS notified the provider that OCR intended to investigate the provider’s compliance with the HIPAA Privacy, Security, and Breach Notification Rules.

III.  Potential Violations of HIPAA:

OCR’s investigation revealed several notable deficiencies in the practice’s risk management and compliance practices. In particular, the investigation revealed that,

The provider did not conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality of ePHI as part of its security management process until October 1, 2012;

The provider did not fully comply with the requirements of the Breach Notification Rule, which requires covered entities to have written policies and procedures and training workforce members regarding those policies and procedures, until February 7, 2012; and

The provider failed to reasonably safeguard the thumb drive that wound up being stolen.

These failures indicate that the provider’s problem did not stem from whether it appropriately responded to the breach.  Instead, the OCR review demonstrates that providers such as this are deficient in whether they are compliant with the Privacy, Security, and Breach Notification Rules prior to a breach incident and whether a breach can be avoided in the first place.

IV.  The Cost of this Dermatology Practice HIPAA Breach:

This dermatology practice HIPAA breach was ultimately settled for $150,000. The provider is also required to implement a corrective action plan to correct deficiencies in its HIPAA compliance program.  In particular, the provider will have to develop a risk analysis and risk management plan that addresses and mitigates any security risks and vulnerabilities within its practice. The provider will also have to provide OCR with this implementation report as part of the settlement agreement.

Notably, in its Press Release, HHS acknowledged that this settlement is the first where a covered entity has not had policies and procedures in place to address the breach notification provisions of the HITECH Act. “As we say in health care, an ounce of prevention is worth a pound of cure,” said OCR Director Leon Rodriguez. “That is what a good risk management process is all about – identifying and mitigating the risk before a bad thing happens.  Covered entities of all sizes need to give priority to securing electronic protected health information.”

 V.  Final Remarks:

Providers and other covered entities must understand the problems associated an unexpected theft or other event that results in a reportable breach.  As this case demonstrates, a breach of PHI may open up the provider to a compliance audit by the OCR.  This audit can certainly lead to subsequent civil and/or criminal penalties.

It is imperative that all covered entities affirmatively review the mandatory requirements under the new HIPAA Omnibus Rule.  Frankly, there is no valid excuse for a covered entity not to have already conducted a proper risk assessment of its practice. Appropriate safeguards to protect individual patient PHI must be instituted to ensure that a breach does not occur. Don’t let a stolen thumbdrive be the first time you assess the safety and security of your PHI. Taking measures to implement an effective compliance plan is just your first step. In doing so, you can better ensure that your continuing obligation to fully comply with applicable statutory and regulatory requirements are being met.  Need help setting up your Compliance Plan?  Give us a call.

robert_w_lile-150x150Robert W. Liles, Esq., serves as Managing Partner at Liles Parker, Attorneys & Counselors at Law.  Liles Parker attorneys represent health care providers and suppliers around the country in connection with Medicare audits, HIPAA privacy requirements and other health law issues.  For a free consultation, call Robert at:  1 (800) 475-1906. 


[1] Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules, 78 Fed. Reg. 5566 (Jan. 25, 2013), available at www.gpo.gov/fdsys/pkg/FR-2013-01-25/pdf/2013-01073.pdf.

[2] See 45 C.F.R., part 164, subpart D.

Disability Discrimination Cases are Being Pursued by the Office of Civil Rights.

Disability Discrimination Cases are Being Pursued by OCR.

(July 19, 2013):  Health care providers choosing to participate in Medicare, Medicaid and other Federal health benefits programs are obligated to comply with a wide range of statutory and regulatory requirements.  The primary issues most cited in connection with these obligations include those involving questions of medical necessity and / or coverage, coding and billing requirements and documentation mandates.  Health care providers are also required to comply with applicable employment laws, OSHA safety requirements, and with the medical records privacy rules of HIPAA and HITECH.  Collectively, these laws and regulations represent a significant challenge for many small and mid-sized health care providers and organizations.  Nevertheless, it is essential that all health care providers also keep in mind that Federal law also prevents participating providers from engaging in disability discrimination.

 I.  Regulatory Requirements Governing Participating Providers:

Pursuant to Section 504 of the Rehabilitation Act of 1973, as amended (Act), and its implementing regulations, 45 C.F.R. Parts 81 and 84.1, health care providers participating in programs receiving Federal funding cannot refuse to treat a patient on the basis of the patient’s disability. At first blush, you may find it hard to imagine how (or why) a health care provider would ever even consider refusing to care or treat a disabled patient because of the patient’s disability.  The case outlined below provide a stark example of how disability discrimination can result in serious administrative sanctions being pursued against a health care provider.

II.         Overview of a Recent Case:

The following summarizes the allegeg acts which gave rise to an enforcement action by the Department of Health and Human Services (HHS), Office of Civil Rights (OCR):

  • A California physician who practices neurological surgery (surgeon) examined a patient covered by “MediCal,” California’s Medicaid program.  Medi-Cal is jointly financed by Federal and State funds.

  • The patient suffered from hip and back pain and was referred to this surgeon for evaluation and treatment by his primary care physician.

  • After examining the patient, the surgeon recommended that the patient undergo surgery. The patient then agreed to seek pre-authorization for the procedure by Medi-Cal.

  • The surgeon subsequently learned that the patient was reported to be HIV positive.

  • The patient was recalled by the surgeon and was asked if, in fact, he was HIV positive.  When the patient responded affirmatively, the neurological surgeon then reportedly advised the patient that he would be unable to perform the surgery and recommended that the patient seek to have the procedure performed at the county hospital.

  • The neurological surgeon then discharged the patient from his practice “and, in correspondence advising the referring physician that he had done so, specifically mentioned that the young man was HIV-positive.”

(For a more detailed discussion of the facts in this case, you may wish to review the decision of the HHS Departmental Appeals Board).

A discrimination complaint was subsequently filed against the surgeon by the patient with OCR.  Consistent with applicable regulations, OCR is documented as having tried “to the fullest extent practicable,” to obtain the surgeon’s cooperation.  See 45 C.F.R. § 80.6(a).

Once it concluded that an information resolution of this discrimination complaint would not be forthcoming, OCR recommended that the HHS take action to suspend or terminate the recipient’s federal financial assistance. See 45 C.F.R. § 80.8(c).

On or about August 2, 2012, that is precisely what occurred.  An Administrative Law Judge (ALJ) for the HHS’ Departmental Appeals Board determined that the surgeon’s:

“lack of cooperation establishes that he will not voluntarily comply with the Act and regulations and that OCR will not be able to assure his compliance by informal means. Termination of his federal financial participation is therefore an appropriate remedy for his refusal to comply voluntarily. 45 C.F.R. § 80.8(c).” 

In reaching this conclusion, the ALJ then ordered:

“I therefore order that the responsible HHS officials suspend, terminate, refuse to grant or continue [Surgeon’s] Federal financial assistance, until he satisfies those officials that he will comply with the Act and regulations. As a review of the record shows, it appears that OCR made multiple settlement overtures to resolve the complaint with the surgeon but that its efforts were ultimately unsuccessful.”

III.  Disability Discrimination Lessons Learned:

As a review of the Opinion issued by the Departmental Appeals Board will show, OCR diligently attempted to resolve this issue with the surgeon informally, prior to taking this case forward.  Now that the surgeon has been effectively suspended from receiving Federal funds, he is effectively barred from treating Medi-Cal patients.  While additionals sanctions involving Medicare and other Federal health benefits programs could later take place, no discussion of these programs is covered in the ALJ’s opinion.  Nevertheless, what are some of the potential actions that could conceivably take place in the future?

(1)    From a public relations standpoint, this action could be disastrous for a health care provider’s practice.  

(2)   Depending on how the action is worded and how it is perceived by State licensure officials, this action could result in an investigation and possible sanctions by a State Medical Board.

(3)   Most, if not all, private payors require that health care providers give them written notice of any adverse actions taken by another payor within 30 – 60 days.  This action could therefore result in the proposed de-credentialing of the surgeon from one or more private plans.   

(4)   Many hospitals require that a health care provider be a participating provider in the Medicare and / or Medicaid programs in order for them to receive admitting privileges in their institution.  An adverse action such as this against a provider’s Medicaid status could result in action being taken by hospitals where the provider is privileged. 

Notably, the decision in this case is not the same as an exclusion action.  In fact, the way it is worded almost implies that if the surgeon takes remedial action, his Medi-Cal eligibility will be reinstated.

As a final point, this case clearly illustrates OCR’s emergence as an enforcement agency to be reckoned with.  While prior administrative enforcement sanctions have focused on Civil Monetary Penalties (CMPs), this action effectively suspends a health care provider’s ability to participate in Medicaid, short of seeking a permissive exclusion action against the provider.

From a regulatory standpoint, this case can serve as a real-life example of the importance of developing and implementing a comprehensive, effective Compliance Program.

Robert W. Liles is a health care attorney experienced in handling prepayment reviews and audits.Robert W. Liles, J.D., M.B.A., M.S., serves as Managing Partner at Liles Parker PLLC, a boutique health law firm with offices in Washington, DC, Texas and Louisiana.  Liles Parker attorneys represent health care providers around the country in compliance, regulatory and peer review related actions.  Should you need assistance, feel free to give us a call.  Call Robert for complimentary initial consultation at:  1 (800) 475-1906.

 

 

 

HIPAA Breach Penalties are Being Assessed for Potential Disclosures of Less than 500 Patients. Have You Taken Steps to Prevent a Breach?

HIPAA Breach Penalties are Increasing.

(January 8, 2013):  A few days ago, the Department of Health and Human Services’ Office for Civil Rights (HHS’ OCR) issued an important announcement — one which is likely to affect ALL health care providers at some point.   OCR has announced that they have entered into a monetary settlement with an Idaho-based hospice company in connection with a HIPAA breach involving less than 500 patients.  As the settlement agreement details, the hospice company has agreed to pay $50,000 to settle these potential violations arising out of the company’s loss of an unencrypted laptop which contained personal health information (PHI) that was being used outside of the office.

While the hospice company did, in fact, report the loss, OCR noted that prior to the loss, the hospice had NOT conducted any sort of risk analysis or attempted to safeguard the information.  Under HIPAA, all health care providers are required to have safeguards in place to prevent this (and similar) types of HIPAA breaches from taking place.  OCR’s director Leon Rodriguez stated:

“This action sends a strong message to the health care industry that, regardless of size, covered entities must take action and will be held accountable for safeguarding their patients’ health information. Encryption is an easy method for making lost information unusable, unreadable and undecipherable.”

All entities are required to report “breaches” of 500 patients or more to the secretary of HHS and then to the press within 60 days.  Smaller breaches are reported to HHS on an annual basis.  In this particular case (which occurred in 2010), a total of 441 patients had their information put at risk.  Notably, OCR’s announcement did not indicate that any patient suffered any harm as a result of the laptop’s loss or this alleged HIPAA breach.  Nor is it alleged that any type of identify theft took place.

Robert LilesRobert W. Liles, Esq., serves as Managing Partner at Liles Parker. Robert and the other attorneys at Liles Parker represent health care providers in HIPAA related audits and projects.  Should you have any HIPAA privacy questions, please give us a call for a free consultation.  Robert can be reached at:  1 (800) 476-1906.