Massachusetts General Hospital will pay the U.S. government $1 million to settle what the feds are calling “potential violations of the HIPAA Privacy Rule,” according to a statement issued by the U.S. Department of Health and Human Services. The case involves patient information that an employee left on the subway.
This marks the second fine related to HIPAA noncompliance in a week. The first fine, imposed on Cignet Health, was a $4.3 million civil penalty, mostly for failing to cooperate with an investigation.
The settlement follows a probe by HHS’ Office for Civil Rights, which enforces HIPAA rules that require healthcare providers to protect the privacy of patient information through administrative, physical and technical safeguards.
“We hope the healthcare industry will take a close look at this agreement and recognize that OCR is serious about HIPAA enforcement. It is a covered entity’s responsibility to protect its patients’ health information,” OCR Director Georgina Verdugo said in a statement.
The possible HIPAA violation occurred after a Mass General employee left the documents on a subway in March 2009. The documents consisted of protected health information for 192 patients of MGH’s Infectious Disease Associates outpatient practice, which includes HIV/AIDS patients. The investigation found that Mass General failed to implement “reasonable, appropriate safeguards to protect the privacy of PHI” removed from Mass General’s premises and disclosed, potentially violating the HIPAA rule.
A patient schedule containing names and medical records numbers, as well as billing forms that included names, dates of birth, diagnoses, insurer policy numbers and providers, were among documents lost.
As part of a corrective action plan, MGH has promised to develop comprehensive policies and procedures to ensure PHI is protected when removed from the MGH premises, train its workforce on the policies and send twice-yearly reports to HHS for three years.