As we head further into 2016, the Department of Health and Human Services’ Office of Civil Rights has pledged to step up investigations of reported violations of the Health Insurance Portability and Accountability Act of 1996. According to Dentistry IQ, the government body has also promised to ramp up the number of routine audits for healthcare providers, after executive officials announced that overall compliance with the HIPAA privacy rule will receive even greater scrutiny this year. The privacy rule of HIPAA pertains to the protection of patient health information, and the issue has become of great concern recently due to the explosion of digital platforms in the healthcare industry, such as electronic health records. Despite the multitude of benefits associated with new technologies, they are vulnerable to cyberattacks that could compromise patient data and privacy.
Healthcare provider Lincare faces enormous financial penalty
Amid a growing number of prosecutions of large healthcare companies for HIPAA violations, the OCR recently secured a settlement with Lincare, one of the nation’s leading in-home healthcare organizations, Home Health Care News detailed. Specializing in respiratory care, Lincare is owned by German company the Linde Group. Lincare has over 1,000 locations across the U.S. and Canada.
Lincare is liable to pay a substantial HIPAA violation penalty of just under $240,000. The fine will take the form of a civil monetary penalty, which marks only the second time that the OCR has secured that kind of settlement, Home Health Care News explained. CMP cases are generally decided after the prosecuted body refuses to take responsibility for the charges brought against it.
Why was Lincare fined?
According to Home Health Care News, the case against Lincare was introduced after it was revealed that a manager from a Lincare branch in Arkansas had left behind confidential records of 278 patients in her car after she decided to leave her husband. The manager involved, Faith Shaw, was actually complying with Lincare policy that mandated that procedure manuals be securely stored away in cars as a form of backup. The issue arose, however, after Shaw left the car behind at the end of her marriage – a vehicle that her husband had access to. Shaw’s estranged husband later contacted Lincare and the OCR to report that he had discovered the private records.
Shaw later claimed that the data had actually been stolen by her former husband in a blackmail attempt to win her back, and Lincare sought criminal charges against him. However, an administrative law judge refused to accept Lincare’s version of events and ruled in favor of the OCR after Lincare launched an appeal. The ALJ proceeded to argue that as an organization, Lincare had failed to implement effective HIPAA compliance guidelines, even after the significant security breach had occurred.
Home Health Care News asserted that the case is indicative of issues surrounding HIPAA privacy rule compliance and home healthcare providers: Workers in the field of home healthcare are often required to bring patient health records out of the office to patient homes, rendering them more vulnerable to a privacy breach.
Other leading hospitals receive large fines
Lincare’s penalty is just the latest in a string of high-profile cases against leading healthcare providers. University of Washington Medicine, for example, was forced to pay a HIPAA penalty of $750,000 at the end of December 2015 after it was revealed that 90,000 patients’ health records had been compromised by malicious malware opened in an email. In addition to the fine, UWA was ordered to develop and implement a corrective action plan.