Files Left on Subway, Mass General Charged
The General Hospital Corp. and Massachusetts General Physicians Organization, Inc. (Mass General) has agreed to pay the U.S. government $1 million to settle a “potential” violation of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule. As part of the settlement, Mass General also will enter into a Corrective Action Plan (CAP), according to a U.S. Department of Health and Human Services (HHS) press release issued Feb. 24.
It all began with a careless mistake. On March 9, 2009, a Mass General employee lost a patient schedule containing names and medical record numbers for 192 patients of Mass General’s Infectious Disease Associates’ outpatient practice, and billing encounter forms containing protected health information (PHI) for 66 of those patients. The documents were left on a subway commuter train and were never recovered. An informed patient subsequently filed a complaint, and an HHS Office for Civil Rights (OCR) investigation followed.
The OCR investigation concluded that Mass General failed to implement reasonable, appropriate safeguards to protect the privacy of its patients’ PHI when removed from the facility’s premises, and impermissibly disclosed PHI. Although there was no evidence that the patients’ privacy had actually been violated, it could have been, and that was enough for the OCR to determine that Mass General potentially violated provisions of the HIPAA Privacy Rule.
This is the second OCR investigation ending with HIPAA Privacy Rule violation charges this year. Just weeks prior, Cignet Health of Prince George’s County, Md. was ordered to pay $4.3 million for violating 41 patients’ privacy rights and not cooperating with the OCR investigation.
The CAP agreement Mass General has entered into requires the hospital to:
- Develop and implement a comprehensive set of policies and procedures that ensure PHI is protected when removed from Mass General’s premises;
- Train workforce members on these policies and procedures; and
- Designate the Director of Internal Audit Services of Partners HealthCare System, Inc. to serve as an internal monitor who will conduct assessments of Mass General’s compliance with the CAP and render semi-annual reports to HHS for a 3-year period.
The HHS/Mass General Resolution Agreement and CAP can be found on the OCR website.