Many lessons can be learned from this story. It's another reminder to regularly update HIPAA policy and procedure manuals, and be especially aware of PHI leaving the office. Here's the gist:
- The summary: For HIPAA violations, civil monetary penalties of $239,800.
- The source: A manager's ex-husband.
- The infraction: Taking home and leaving PHI for 278 patients under a bed and in a car.
- The damage to patients: None known.
- The Result: OCR's second ever civil monetary penalty for HIPAA violations.
After an apparently bitter divorce, a man says he found his wife's work files containing PHI left hidden under a bed at home. Perhaps she forgot them. Maybe they're duplicates or not part of patient charts. Perhaps he stole them and none of this is true, but the records were locked in the trunk of her car. I digress with speculation.
The ex-husband turned her in to the Office for Civil Rights (OCR), which prosecutes HIPAA violations. OCR launched an investigation into her employer, a division of Lincare that provides home health care and medical equipment across the country. It's difficult to imagine many home health companies or almost any health care provider that doesn't have the need to take or use PHI outside of the office to care for patients or to get the job done. So having sound policies addressing this common scenario is certainly a good idea.
According to HHS, "this employee removed patients’ information from the company’s office, left the information exposed in places where an unauthorized person had access, and then abandoned the information altogether." More specifically, however, according to the Administrative Law Judge's findings, the employee took PHI home from work, left it "exposed" by locking it in her car and having it hidden within her locked home, and "abandoned" it by leaving it hidden under her bed when she left the family home upon divorce. Since her ex-husband had access to the car and the home, including under the bed (and he got the home in the divorce), that's considered unauthorized disclosure and failure to safeguard, which are separate infractions for which OCR imposes separate penalties. OCR ignored the argument that her husband stole the PHI out of her car, as irrelevant, because she shared the home and car with her husband, thus "sharing" or "disclosing" the PHI to him as an unauthorized person.
OCR also determined that because Lincare regularly allowed PHI to leave the office, its Privacy Policy needed to include not only provisions that PHI be kept confidential, which its policy did provide, but it also needed to include "policies, procedures or instructions for safeguarding PHI that is taken off the premises," which it apparently did not. The employee was a manager so she does not appear to have been taking records home for patient care purposes, and the available record does not reveal whether Lincare permitted managers to take PHI home. The simple fact that anyone regularly takes PHI from the office means, according to OCR, Lincare should have a more specific policy and procedure to address such.
For all of these circumstances, the Civil Monetary Penalty (CMP) imposed is $25,000 for disclosure of PHI by making it available to her husband, $25,000 for failing to safeguard PHI from her ex-husband, and $189,800 for willfully inadequate policies and procedures ($1000 for each of 189 days without an updated policy manual).
The Administrative Law Judge (ALJ) agreed, affirming OCR's penalties on February 2, 2016. OCR and the ALJ remind us that Federal Regulations define "Disclosure" of PHI to include "provision of access to" PHI as well as giving it to someone or to the public. Reasonable safeguards against disclosure to family and friends at home and on the move must be part of any HIPAA manual.
Managing health care companies is complicated enough in the office. We cannot manage each employee's home and family relationships. PHI necessarily leaving the office changes what can be best controlled, and therefore, justifies more rigorous policies to protect PHI and protect the health care provider from penalties. Management certainly cannot control spouses or other family and friends. It's tempting to seek form books of policies and weigh its value based on its number of binders or megabytes. It's even more tempting to just leave the books on the shelves without any follow-up, while focusing on taking care of our patients. Current federal rules practically dictate more thoughtful care in handling patient information. HHS expects a high level of thoughtfulness, foresight, and follow-up. RAC Auditors, OCR Investigators, Qui Tam Relators, OIG Investigators, and US Attorneys are certainly following through in search of their own trophies.
Tom Wood is a partner in the Health Care Practice Group at Burr & Forman LLP and represents health care providers in regulatory and litigation matters.
