Ex-Spouse and HIPAA Collide

Episode 65: Know The Rules! Case Study – Ex-Spouse and HIPAA Collide

Did You Know?

A box containing 5 years of protected health information (PHI) had been returned to Hanger Clinic in Florida by a former employee’s ex-spouse. This is not the first time a former and HIPAA collide.

Hanger Breach Details

On September 17, 2018, a box of patient insurance documents from 2009 – 2014 were returned to Hanger Prosthetics & Orthotics, Inc. (“Hanger”).

How Did This Happen?

😱  Ex-spouse of a past Hanger employee found the box at his home stored with boxes of his own records.

🤗  Thank goodness the former spouse did the right thing and promptly returned the box to Hanger upon its discovery‼

Why is this significant?

This is NOT the first time an ex-spouse has been involved in reporting a HIPAA violation, just ask Lincare, Inc., doing business as United Medical.

In 2016, Office of Civil Rights (OCR) imposed their second ever civil monetary penalties to Lincare after an ex-spouse of a former manager turned his wife’s work files over to the Office of Civil Rights (OCR).

Over the course of this investigation, OCR found:

  • The manager left documents containing PHI of 278 patients accessible where unauthorized individuals could gain access.
  • Lincare had inadequate policies and procedures in place to safeguard patient information taken offsite.

And here is what OCR did:

  • Lincare was ordered to pay the second ever civil monetary penalty for HIPAA violations, and they paid $239,000.
    • › Penalty breakdown:
      • » $25,000 for disclosure of PHI by making it available to spouse
      • » $25,000 for failing to safeguard PHI from spouse
      • » $189,800 for willfully inadequate policies and procedures ($1000 for each of 189 days without an updated policy manual).

Clearly, this case provides an example for healthcare organizations of all sizes on the importance of reviewing your HIPAA policy and procedure manuals.


Knowing when PHI is leaving the office!

Remember: Keeping your PHI secured and maintaining HIPAA compliance is YOUR responsibility!

Covered Entities and Business Associates need to understand your patients are entrusting YOU with their most private and intimate details, they expect it to remain secure.

Besides, it is YOUR practice, YOUR patients, YOUR reputation and YOUR legacy! Why are you leaving yourself wide open to such risks?


Join us in the HIPAA for Business Associates Facebook group to learn how HIPAA applies to YOUR organization, and YOU too can become a defender of PHI!!