HIPAA Alert: Removing Patient Info from Premises Leads to $200,000+ Fine

Lincare, a provider of services to in-home patients, was recently court-ordered to pay $239,800 to the Office of Civil Rights (OCR).

Lincare’s problems began when an employee left behind documents containing protected health information (PHI) of 278 patients after moving offices. The employee removed patients' information from the office, left it exposed in places where an unauthorized person had access, and then abandoned it altogether. 

Lincare was found to have inadequate policies and procedures in place to safeguard patient information taken offsite, although employees, who provide health care services in patients' homes, regularly removed material from the business premises.

All covered entities, including home health providers, must ensure they have adequate policies and procedures that provide for the reasonable and appropriate safeguarding of PHI while it is being transported off-site, whether in paper or electronic form.

Before you take any patient records offsite, check with your supervisor to make sure you understand the policies and procedures for protecting patient information during transportation to another site.

If you have additional questions on this topic, please contact the HIPAA Privacy Officer at 402-354-4901.