The Department of Health and Human Services (HHS) has announced a ruling by an administrative law judge upholding penalties sought by HHS for violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Under the ruling, a HIPAA covered entity must pay nearly $240,000 in penalties for violations of HIPAA's privacy requirements.
On February 3, 2016, HHS issued a press release announcing an administrative law ruling imposing civil money penalties of nearly $240,000 against a HIPAA covered entity for violations of the HIPAA privacy rule (see Practice Note, HIPAA Privacy Rule). HHS sought the penalties after it was unable to settle the matter informally. According to HHS, this marks only the second time the agency has sought civil money penalties for HIPAA violations (see HIPAA Enforcement and Group Health Plans: Penalties and Investigations). (The first-ever civil money penalties, for $4.3 million, involved a 2011 action against a provider that denied its patients access to their medical records (see Practice Note, HIPAA Privacy and Security: Individual Rights).) The covered entity invoked its right to a hearing before an administrative law judge (ALJ) to challenge HHS's proposed penalties but the ALJ's decision upheld the penalties.
The HIPAA covered entity, a home health provider with more than 850 branch locations and operations in 48 states, maintained the protected health information (PHI) of more than 275 individuals who received services from the company's employees. The company became the subject of an HHS investigation after the husband of one of the company's managers complained that his wife, from whom he was estranged, had left behind company documents in their home. The documents contained the PHI of the company's patients, including the individuals' names, addresses, telephone numbers, and emergency contacts. The manager was also responsible for patient-specific documents (for example, diagnoses and medical test results) for several of the company's patients. Per the company's policy, the manager removed these documents from the office and kept them in her car, so as to have ready access to them. When the manager moved out of the couple's home, however, she left the documents behind and later conceded to HHS that she was uncertain where her car was parked. Her husband informed the company and HHS that he:
Discovered the PHI under a bed and in a kitchen drawer.
Was in possession of the abandoned documents.
The ALJ determined that the company's policies were inadequate because (among other reasons):
No written policy addressed how staff members should protect PHI that was removed from the company's offices.
Policies implemented after the manager's unauthorized disclosure similarly failed to address this issue.
No policies existed to monitor documents removed from the company's offices, and to ensure the documents' return.
The ALJ determined that the company violated HIPAA by failing to:
Reasonably safeguard its patients' PHI and allowing an unauthorized individual to access that information.
Develop and implement policies and procedures to protect PHI removed from its branch offices.
The ALJ therefore granted summary judgment in HHS's favor and upheld the proposed civil penalties.