PHI Found in Home Therapy Employee’s Car and Home; Employer Fined

​A U.S. Department of Health and Human Services' (HHS) administrative law judge has upheld the HHS Office for Civil Rights' (OCR) findings that an in-home therapy provider violated the privacy provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and must pay civil monetary penalties of $239,800. In its February 3, 2016, press release about the decision, HHS said the ruling is the second time in the history of HIPAA that OCR has sought civil monetary penalties for HIPAA violations and that each time the findings were upheld by an administrative law judge. OCR began the investigation of Lincare Holdings, Inc. (Clearwater, Florida), which operates in 48 states, after learning that a Lincare manager kept documents with protected health information (PHI) of nearly 300 patients in her home, under a bed and in a kitchen drawer, as well as in her car. The manager's husband, who was not a Lincare employee, reported the violations when the manager moved out of their home. OCR found that the company had inadequate policies and procedures in place to safeguard patient information that was taken offsite.