Skip to main content

For the Second Time Ever, HIPAA Violation Results in Monetary Penalty- Costs Provider $240K

By February 29, 2016January 2nd, 2019Compliance & Ethics
  • Recent case proves that HIPAA penalties are a reality for providers who fail to follow HIPAA requirements and have HIPAA policies in place

In February of 2016, an Administrative Law Judge (“ALJ”) ruled that Lincare, Inc. (“Lincare”), a provider of respiratory care, infusion therapy, and medical equipment to in-home patients, violated the Health Insurance Portability and Accountability Act (“HIPAA”) requiring Lincare to pay $239,800 in civil money penalties (“CMPs”) to the Health and Human Services’ Office for Civil Rights (“OCR”). In the past few years, OCR has been active in obtaining settlements for significant monetary payments from covered entities who have violated HIPAA, but this was only the second time that OCR imposed CMPs outside of a settlement agreement. The investigation of Lincare started when an individual complained that a Lincare employee had left behind documents containing protected health information after moving. The OCR’s investigation of Lincare then uncovered that Lincare had inadequate policies and procedures in place regarding safeguarding protected health information (“PHI”), even though employees regularly took patient information off Lincare premises.

OCR’s Director Jocelyn Samuels commented that:

While OCR prefers to resolve issues through voluntary compliance, this case shows that we will take the steps necessary, including litigation, to obtain adequate remedies for violations of the HIPAA Rules . . . . The decision in this case validates the findings of our investigation.  Under the ALJ’s ruling, all covered entities, including home health providers, must ensure that, if their workforce members take protected health information offsite, they have adequate policies and procedures that provide for the reasonable and appropriate safeguarding of that PHI, whether in paper or electronic form.

The ALJ’s opinion can be found on OCR’s website here.

The case against Lincare should be a reminder for all providers to both take precautions to safeguard protected health information and to have policies in place requiring employees to do so. Failure to do so can mean more than just a reminder from OCR, but instead litigation, and significant penalties. 

If you would like additional information regarding HIPAA, or would like assistance in obtaining or updating your policies, please contact Jacqueline Anderson ( at (866) 495-5608.

Please note that this alert is intended to be informational only, and is not intended to be nor should it be relied upon as legal advice. Rolf Goffman Martin Lang LLP will not be responsible for any actions taken or arrangements structured based upon this alert. The receipt of this alert by an organization that is not a current client of Rolf Goffman Martin Lang LLP does not create an attorney-client relationship between the recipient and the law firm.

©2016. Rolf Goffman Martin Lang LLP. All Rights Reserved.