Mass General Agrees to $1 Million HIPAA Violations Settlement
The General Hospital Corporation and Massachusetts General Physicians Organization Inc. (Mass General) have agreed to pay the U.S. government $1 million to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule, the U.S. Department of Health and Human Services (HHS) announced yesterday. Under terms of a Resolution Agreement signed with HHS, Mass General must, in addition to paying the settlement amount, develop and implement a comprehensive set of policies and procedures to safeguard the privacy of its patients. The settlement follows an extensive investigation by the HHS Office for Civil Rights (OCR), which enforces the HIPAA Privacy and Security Rules. In particular, the HIPAA Privacy Rule requires health plans, health care clearinghouses and most health care providers (covered entities) to protect the privacy of patient information through administrative, physical and technical safeguards at all times. The incident giving rise to the agreement involved the loss of protected health information (PHI) of 192 patients of Mass General’s Infectious Disease Associates outpatient practice, including individuals with HIV/AIDS. OCR opened its investigation of Mass General after a complaint was filed by a patient whose PHI was lost on March 9, 2009. Mass General was found to have failed to implement reasonable, appropriate safeguards to protect the privacy of PHI when removed from Mass General’s premises and to have impermissibly disclosed PHI, potentially violating provisions of the HIPAA Privacy Rule. Mass General’s PHI impermissible disclosure involved a loss of documents consisting of a patient schedule that contained the names and medical record numbers for a group of 192 patients, as well as billing encounter forms indicating the name, date of birth, medical record number, health insurer and policy number, diagnosis, and name of providers for 66 of those patients. The loss of these documents occurred when a Mass General employee left them on a subway train while commuting to work. They were never recovered. As part of the agreement, Mass General also consented to enter into a Corrective Action Plan (CAP) wherein it must develop and implement a comprehensive set of policies and procedures that ensure protection for PHI when removed from Mass General’s premises. In accordance with the CAP, the hospital must train workforce members on these policies and procedures and designate the Director of Internal Audit Services of Partners HealthCare System, Inc. to serve as an internal monitor. The monitor will conduct assessments of Mass General’s compliance with the CAP and render semi-annual reports to HHS for a three -year period. “We hope the health care industry will take a close look at this agreement and recognize that OCR is serious about HIPAA enforcement,” states OCR Director Georgina Verdugo. “It is a covered entity’s responsibility to protect its patients’ health information.” Verdugo adds that to avoid enforcement penalties, covered entities must ensure they are always in compliance with the HIPAA Privacy and Security Rules. “A robust compliance program includes employee training, vigilant implementation of policies and procedures, regular internal audits, and a prompt action plan to respond to incidents,” she concludes.