Mass General HIPAA Penalty: $1 Million

Lost Documents Included Information on AIDS Patients
Mass General HIPAA Penalty: $1 Million
In the second major HIPAA enforcement action announced by federal authorities this week, Massachusetts General Hospital and its physicians organization have entered into a resolution agreement that calls for paying a $1 million settlement and taking corrective action to avoid future violations. The case involved the loss of documents that included information on patients with HIV/AIDS.

Earlier this week, the Department of Health and Human Services announced a $4.3 million civil monetary penalty against Cignet Health. That case apparently included a heftier financial penalty because it did not involve a negotiated resolution agreement.

With the two announcements of penalties for HIPAA privacy rule violations, HHS' Office for Civil Rights appears to be giving strong signals that its long-promised plans to ramp up enforcement efforts are now a reality. "We hope the healthcare industry will take a close look at this agreement and recognize that OCR is serious about HIPAA enforcement," said OCR Director Georgina Verdugo.

The resolution agreement with Massachusetts General stems from the loss of scheduling documents for 192 patients in the hospital's General Infectious Disease Associates outpatient practice, including those with HIV/AIDS. OCR initiated its investigation when a patient whose information was lost filed a complaint.

The patient encounter billing forms and schedules were lost on March 9, 2009, when a hospital employee, while commuting to work, left them on a subway train. They included such information as names, medical records numbers, insurance information and diagnoses.

The corrective action plan calls for Massachusetts General to:

  • Develop and implement a comprehensive set of policies and procedures that ensure patient information is protected when removed from the hospital;
  • Train staff members on these policies and procedures;
  • Designate the director of internal audit services of Partners Healthcare System, the hospital's parent company, to serve as an internal monitor who will conduct assessments of the hospital's compliance with the corrective action plan and submit semi-annual reports to HHS for three years.

In a statement, Massachusetts General said that in addition to the new policies and procedures, it would also take the extra security steps of encrypting laptops and USB drives.

About the Author

Howard Anderson

Howard Anderson

News Editor, ISMG

Howard J. Anderson is news editor of Information Security Media Group and was founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 34 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.

Around the Network