The Implications of Divorce and HIPAA Violations
Divorce & Family Law Divorce Health Care Health Care Other
Summary: A blog post about a recent case involving a divorce that caused a violation of HIPAA when an employee of a healthcare provider left behind classified patient information after a divorce.
If you have questions about divorce, legal separation, spousal HIPAA violations, or alimony in Connecticut, please feel free to call the experienced divorce attorneys at Maya Murphy, P.C. in Westport today at 203-221-3100 or email Joseph C. Maya, Esq. at JMaya@Mayalaw.com.
The Office of Civil Rights (“OCR”), a division of the Department of Health and Human Services, recently took the rare step of imposing civil monetary penalties against a large home health provider for violating the Health Insurance Portability and Accountability Act (“HIPAA”), highlighting the importance of developing written policies that meet the realities of how and where employees use documents with patients’ personal health information (“PHI”).
HIPAA creates privacy rights and protections for consumers of health services. To ensure these rights are protected, entities that possess and transmit PHI, defined as “covered entities,” are required to safeguard that information. Lincare provides respiratory care, infusion therapy and medical equipment to in-home patients. Because Lincare employees often traveled to patients’ homes, they routinely had to take protected health information into the field to perform their duties. However, Lincare also had a practice of requiring its employees to keep copies of documents containing PHI in their vehicles so that they could access the information if the physical office were destroyed or otherwise made inaccessible. These practices are not, in and of themselves, HIPAA violations. However, Lincare was required to develop and implement policies and procedures, in either written or electronic form, reasonably designed to protect its patients’ PHI while those documents were out of the office.
The problem is this case arose when a Lincare employee kept documents with PHI in her car even though she knew that her husband had keys to the car. The employee and her husband had a falling out. The employee moved out of her home and left her car – and the documents – behind. Months later, the husband reported to Lincare and the OCR that he had the documents. The OCR investigated and found that, while Lincare had a written policy designed to safeguard PHI within its offices, it did not have a policy addressing PHI taken into the field. Accordingly, OCR concluded that Lincare violated HIPAA and imposed a penalty of nearly $240,000.
Lincare contested the penalty to an Administrative Law Judge (“ALJ”), offering the defense that it was a victim of theft. Lincare claimed that the employee’s husband stole the documents and reported them to Lincare and OCR in an attempt to induce his estranged wife to return to him. The ALJ found this to be an ill-conceived defense because, assuming Lincare’s version of the breach were true, it was more damaging to their case. The ALJ noted that HIPAA required Lincare to take reasonable steps to protect PHI from theft and the alleged theft in this case only highlighted the fact that Lincare failed to adopt any policies and procedures to safeguard PHI taken into the field. Accordingly, the ALJ upheld the OCR’s penalty.
For covered entities, this case illustrates the importance of assessing the realities of how and where your employees use PHI. In a perfect world, PHI would never leave the safety of a locked file cabinet. In reality, employees often need to take PHI outside of the safety of the file cabinet or even the office to perform their duties. If a covered entity does not adopt written policies and procedures to address the realities of how and where PHI is being used, they may be risking significant civil penalties.
For a free consultation, please do not hesitate to call the experienced family law and divorce attorneys at Maya Murphy, P.C. in Westport, CT at 203-221-3100. We may also be reached for inquiries by email at JMaya@mayalaw.com.
Source: Martindale