Do You Know Where Your Data Is?

For only the second time in its history, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) has imposed a civil money penalty (CMP) on a covered entity for allegedly violating the HIPAA Privacy Rule. The Administrative Law Judge’s (ALJ’s) decision upholding the $239,800 CMP against Lincare, Inc. is a reminder that when employees take protected health information (PHI) home but do not adequately protect it, trouble may follow.

Although this is the second time OCR has imposed CMPs, this is the first time the covered entity appealed the penalties to an ALJ. The ALJ upheld the OCR decision on summary judgment, suggesting that it may be an uphill battle to overcome deference to OCR’s interpretation of what privacy and security practices are reasonable.

Taking PHI offsite and working remotely are common occurrences.  Covered entities and business associates that permit or require workforce to remove records containing PHI should take note of OCR’s enforcement action and the ALJ’s decision, as the judgment against Lincare may relate to their business operations.

Please read our full advisory here for some take-away considerations in the wake of this CMP and further guidance for covered entities and business associates when taking PHI offsite.