Liles Parker PLLC
(202) 298-8750 (800) 475-1906
Washington, DC | Houston, TX
San Antonio, TX | Baton Rouge, LA

We Defend Healthcare Providers Nationwide in Audits & Investigations

Home Health HIPAA Violation Costs $239,800!

March 30, 2016 by  
Filed under Home Health & Hospice

HIPAA Violation(March 29, 2016) Lincare, Inc., a provider of respiratory care, infusion therapy and medical equipment to in-home patients, will pay $239,800 in Civil Money Penalties (CMPs) for violating the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule after a HHS Administrative Law Judge (ALJ) ruled in favor of the Office for Civil Rights (OCR).  This is only the second time in its history that OCR has sought CMPs for HIPAA violations and both times the CMPs have been upheld by the ALJ.

OCR’s investigation of Lincare began after an individual, who was the estranged husband of a Lincare employee, complained that she had left behind documents containing the protected health information (PHI) of 278 patients after she had moved out of their residence.  The Lincare employee kept documents containing patient PHI in her car while her husband had keys to the car and left documents behind in the home after moving.  Lincare did not learn the documents were missing until months later, when the employee’s estranged husband reported to Lincare and OCR, that he had the documents containing PHI in his possession.

I.  Lincare Was Alleged to Have Not Properly Safeguard PHI:

Under HIPAA, all covered entities, including home care providers, must protect the privacy rights of the PHI of those it treats and, in response, HHS implemented a “Privacy Rule,” which sets the standards for protecting PHI and requires covered entities to not disclose PHI and “must reasonably safeguard” PHI from “any intentional or unintentional use or disclosure that is in violation of the standards, implementation specifications or other requirements.”

Over the course of the investigation, OCR found that Lincare had inadequate policies and procedures to safeguard patient information that was taken offsite, although its employees, who provide health care services in patients’ homes, regularly removed material from the business premises. Lincare had instructed its managers to maintain copies of the procedures manual “secured” in their vehicles so that company employees would have access to patient contact information if a center office were destroyed or became inaccessible.

The ALJ held that Lincare failed to develop and implement policies and procedures reasonably designed to protect its patients’ PHI while those documents were out of the office.

Under the ALJ’s ruling, all covered entities must ensure that, if their workforce members take protected health information offsite, they have adequate policies and procedures that provide for the reasonable and appropriate safeguarding of that PHI, whether in paper or electronic form.

Lincare claimed that it had not violated HIPAA because the PHI was “stolen” by the individual who discovered it on the premises previously shared with the Lincare employee.  The ALJ rejected this argument, holding that under HIPAA, Lincare “was obligated to take reasonable steps to protect its PHI from theft.”

The court noted that even after Lincare learned of the breach, it took no steps to prevent further disclosure of PHI and its managers “did not seem to recognize they had a significant problem protecting PHI that was removed from the office.”

When asked whether Lincare had considered revising its policies to include specific guidelines for taking PHI out of its offices, the Corporate Compliance Officer responded that it had “considered putting a policy together that said thou shalt not let anybody steal your protected health information.”  Since sarcasm is seldom appreciated in a courtroom, the ALJ did not “consider this a serious response.”

II. Lincare Was Alleged to Have Failed to Develop or Implement Appropriate Policies and Procedures to Prevent the Improper Disclosure of PHI:

The ALJ held that providers must develop and implement adequate policies and procedures reasonably designed, taking into account the size and the type of activities undertaken by the covered entity to ensure compliance and again noted that such policies and procedures must be maintained “in written or electronic form.”

While Lincare had a written privacy policy that addressed maintaining records within the center offices, “no written policy even addressed staff’s protecting PHI that was removed from the offices.”

Lincare even revised its policies after it learned of the unauthorized disclosure but the revisions provided “no guidance to employees required to remove documents from the office’s secured storage space.”  Poorly written policies, as here, that are overly broad and provide “no usable guidance to employees,” do not satisfy the Privacy Rule requirements.

Lincare further claimed that it satisfied the HIPAA requirements because its employees were trained in privacy policies and “understood those policies, practices and procedures.”  The ALJ rejected that contention, holding that “even if training were flawless…staff training does not compensate for missing policies.  In addition to having policies and procedures in place, the covered entity must train all members of its workforce.”

In conclusion, it is imperative for all health care providers that provide services to patients outside of an institutional or clinical setting to develop and implement adequate policies and procedures, in written or electronic form, that are reasonably designed and specifically address the “type of activities,” such as protecting PHI “off-site,” to ensure compliance with the Privacy Rule.

HIPAA ViolationAnthony Cutrona, Esq. is a health law attorney with Liles Parker, Attorneys & Counselors at Law.  Liles Parker has offices in Washington DC, Houston TX, San Antonio, TX, McAllen TX and Baton Rouge LA.  Our attorneys represent home health agencies, physicians, dentists, orthodontists and other health care professionals around the country in connection with government audits of Medicaid and Medicare claims, licensure matters and transactional projects. Need assistance?  For a free consultation, please call: 1 (800) 475-1906.

HIPAA Encryption is the Best Way to Avoid a Violation

HIPAA Encryption is Your Best Defense Against a Breach.(May 29, 2014):  On April 22, 2014, the U.S. Department of Health and Human Services Office for Civil Rights (HHS-OCR) announced that it had entered into resolution agreements with two entities for $1,725,220 and $250,000, respectively, to resolve potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules. The main take away from these settlements? Covered entities and business associates could best protect themselves against future violations through HIPAA encryption procedures.

I.     HIPAA and HITECH Impose Duty to Safeguard Privacy and Security of Patient PHI:

Under the Health Insurance Portability and Accountability Act of 1996[1] (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act[2], covered entities[3] and business associates[4] must safeguard the privacy and security of their patients’ Protected Health Information (PHI). PHI includes any information held by a covered entity which concerns health status, provision of health care, or payment for health care that can be linked to an individual.[5]

Additionally, in January 2013, HIPAA was updated via the Final Omnibus Rule. These updates not only greatly enhanced a patient’s privacy rights and protections, but it also strengthened the ability of HHS-OCR to vigorously enforce the HIPAA privacy and security protections. For example, covered entities and business associates must review and modify security measures as needed to ensure the continued provision of “reasonable and appropriate” protection of EPHI.[6] Moreover, the impermissible use or disclosure of PHI (i.e. in violation of the HIPAA Privacy Rule) is now presumed to be a breach unless the covered entity or business associate demonstrates that there is a low probability that the PHI has been comprised.[7]

However, while employees of covered entities and business associates regularly use laptops, tablets or other mobile devices to access, store and transmit electronic PHI (EPHI), many of these entities have not implemented effective requisite safeguards to protect this sensitive information. These devices, many of which remain unencrypted, leave EPHI vulnerable to unauthorized access and disclosure. Under these circumstances, a “breach”[8]  has occurred and must be reported.  Furthermore, there are significant civil monetary penalties for security breaches.  In light of these risks, HIPAA encryption is recommended.

II.     Stolen Laptops Without HIPAA Encryption Lead to Settlements:

Unauthorized breaches regularly occur in situations when electronic devices are lost or stolen.  In fact, stolen laptops with unencrypted EPHI have resulted in many recent settlement agreements with HHS-OCR. Just last month, two covered entities agreed to collectively pay HHS-OCR almost $2 million to resolve potential violations of the HIPAA Privacy and Security Rules.

Following the first covered entity’s submission of a breach report indicating that a laptop had been stolen from one of its facilities, HHS-OCR initiated a compliance review. HHS-OCR concluded that the covered entity recognized that lack of HIPAA encryption of electronic devices posed a security risk to patient data. However, it “failed to adequately remediate and manage its identified lack of HIPAA encryption or, alternatively, document why HIPAA encryption was not reasonable and appropriate and implement an equivalent alternative measure to encryption, if reasonable and appropriate.”

As to the other covered entity, HHS-OCR found that it “did not implement policies and procedures to prevent, detect, contain, and correct security violations, including conducting an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI it held, and implementing security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with 45 C.F.R. § 164.306 from the compliance date of the Security Rule.”

As part of the resolution agreements with HHS-OCR, both covered entities entered into a corrective action plan where it agreed to provide OCR with an updated risk assessment management plan, updates on the HIPAA encryption status of its devices and equipment, and proof that they had completed security awareness training of their staff.

III.  Final Remarks:

A review of both settlement agreements reveals some interesting findings. Notably, both agreements reflect some degree of compliance with the Security Rule prior to the imposition of a monetary settlement. While covered entities and their business associates should review these settlement agreements; it is important to understand that partial compliance with HIPAA and HITECH is NOT SUFFICIENT. If you are found to be in violation of the Rules, civil monetary fines will be levied on you.

Covered entities and business associates should ensure that they are in FULL COMPLIANCE with the requirements of HIPAA.  You must take steps to immediately conduct a full Security Rule risk assessment and mitigate any identified risks to patient PHI. Do you need help conducting a risk assessment or instituting a full compliance program? We would be more than happy to assist you. Give us a call today.

Remember: if you and your staff are using laptops to access, store and transmit ePHI, OCR has given you the appropriate guidance to safeguard your patients – and YOU: “[…] encryption is your best defense against these incidents.”

Robert Saltaformaggio, Esq., serves as an Associate at Liles Parker, Attorneys & Counselors at Law.  Liles Parker attorneys represent health care providers and suppliers around the country in connection with Medicare audits by ZPICs and other CMS program integrity contractors.  The firm also represents health care providers in HIPAA Omnibus Rule risk assessments, privacy breach matters, State Medical Board inquiries and regulatory compliance reviews.  For a free consultation, call  1 (800) 475-1906.

[1] Pub.L. 104–191, 110 Stat. 1936.

[2] Enacted under Title XIII of the American Recovery and Reinvestment Act of 2009 (Pub.L. 111–5

[3] “Covered entities” generally include health care clearinghouses, employer sponsored health plans, health insurers, and medical service providers that engage in certain transactions. 45 C.F.R. 160.103.

[4] See 45 CFR Sections 160.102 and 160.103.

[5] 45 C.F.R. 164.501.

[6] 45 C.F.R. 164.306(c).

[7] 45 CFR §§ 164.400-414.

[8] See 45 CFR §§ 164.402.

Healthcare Cloud Computing – Compliance Risks

Healthcare Cloud Computing(August 14, 2012):  Cloud computing is in the process of revolutionizing the way that individuals and businesses store, receive, and use their data. You may have heard about it through companies such as Google, Apple, and Microsoft, all advertising sophisticated cloud computing services. But what are the risks your organization faces with respect to healthcare cloud computing?

I.  What is Healthcare Cloud Computing?

Essentially, “healthcare cloud computing” is the process of using various offsite computer and server resources that are delivered to users remotely through the internet. You use a program on your computer to access data, software, and powerful processing resources at a remote location. Because nearly all of the data storage and processing is done remotely, there is less of a need for high-powered, sophisticated computers at a user’s location, meaning individuals and small businesses can access computer tools that had previously only been reserved for the largest of corporations. In fact, a recent survey by Microsoft found that 39% of small business owners were beginning to engage in some sort of cloud-based computing.

II. Risks of Healthcare Cloud Computing:

Reliance on healthcare cloud computing can expose a provider and his / her practice to a variety of very serious risks.  Chief among these risks is the potential for a substantial privacy breach. Because data and data systems are maintained offsite, a provider, biller, or facility cannot ensure that the data contained on these remote servers is properly secure. As you know, the Health Insurance Portability and Accountability Act of 1996 (HIPAA) governs the use of Protected Health Information (PHI) through its Security and Privacy Rules. These laws, administered by the Office for Civil Rights (OCR), protect the privacy of individual patients by setting out rules and repercussions concerning the wrongful use or disclosure of PHI. Under HIPAA, and the HITECT Act of 2009, there are 4 tiers of potential penalties a “covered entity” might face for wrongful use or disclosure or a security breach. Notably, nearly every healthcare provider is, at this point, a covered entity.

Despite an awareness that both known and emerging risks are present, many health care providers appear to have resigned themselves to the fact that the unparalleled convenience of healthcare cloud computing more than makes up for the potential dangers faced when using this medium.   Notably,  many cloud computing services advertise that they are HIPAA compliant or have undergone an SAS 70 Type II audit. Be careful – these audits can greatly vary in terms of their adequacy and sophistication, and may continually fail to meet the standards of HIPAA and HITECH. On top of this, as a health care provider, you are not in a position to ensure that the cloud computing company will continue to meet these standards.  In any event, should a breach occur – you will still be on the proverbial “hook” with OCR and its auditing contractors for any breaches that might occur.  Your decision to store PHI on a cloud computing server will not alleviate you of your obligation to safeguard patient medical records and personal information.  You are ultimately responsible for PHI entrusted to you by your patients, not the cloud service provider.   There are a number of technical security concerns that you should understand:

  •  First, how is data stored at the 3rd party site? Is the data of all clients thrown together on one server or on one hard drive, or does each client have a dedicated server? In addition, what if a server has a technical failure? If such an event occurs (as it inevitably will), the 3rd party vendor needs to completely destroy any PHI on their servers and have an available backup to ensure that the data still exists in some form. It is difficult for both you and the 3rd party vendor to guarantee this.

  • Second, transferring data to and from your “cloud” must be done through a secure channel (that is, “https://”). You need to specifically inquire with a cloud vendor whether a dedicated, secure connection can be established so that the “highway” through which your data passes cannot be accessed by others.

  • Third, the interface your organization uses to interact with the remote cloud server is at risk for security breaches, and you should ensure that the 3rd party host has developed properly secured interfaces. Again, this can be hard to do.

  • Finally, and probably most importantly, what about the employees of the remote cloud service? They generally have access to a substantial amount of sensitive data, and you have no ability to train, discipline, or terminate those individuals should wrongdoing occur. As you know, next to the theft of laptops and other mobile electronic devices, curious employees accessing unauthorized PHI is the most common type of breach under HIPAA. Couple that with a 3rd party vendor whose employees over whom you have no control, and it could mean substantial trouble if an individual employee wants to start exploring your patients’ medical records.

III. Conclusion:

As a result of these serious concerns, we strongly recommend that providers continue to use an internal server stored onsite. While it can be more expensive, it’s the only true way to ensure that your patient’s PHI is protected in accordance with HIPAA’s Privacy and Security Rules. In addition, you should consider conducting an internal HIPAA audit of your physical security, administrative safeguards, and electronic transmissions. Importantly, this audit should be done through counsel, so that any concerns may be reasonable covered by the attorney-client privilege.

Robert LilesHealthcare Lawyer counsels providers on HIPAA compliance risks, HIPAA breach notification and implementing effective compliance plans.  In addition, Robert performs gap analyses and internal reviews, trains healthcare professionals on compliance issues, and represents providers in Medicaid and Medicare post-payment audits and appeals. For a free consultation, call Robert today at: 1 (800) 475-1906.