Massachusetts General Hospital Fined $1 for Lost PHI

The Department of Health and Human Services’ Office for Civil Rights has announced that it has reached a settlement with Massachusetts General Hospital for potential HIPAA violations as a result of the loss and potential disclosure of the medical records of 192 patients. The patients affected had attended the healthcare provider’s Infectious Disease Associates outpatient practice. MGH has agreed to pay $1 million to the OCR.

The incident that triggered the penalty involved the loss of paper files which an employee of the Massachusetts Attorney General had taken on the Subway. When the employee got off, the documents stayed and they were never to be seen again. This may have been a simple case of absent mindedness, but it is negligence and should not have been allowed to occur.

Policies should have been in place to prevent PHI from leaving the premises, staff should have received training and protections put in place to secure confidential data. The OCR has issued an action plan which MGU must follow to bring its privacy and data security standards up to the required level. The action plan can see healthcare providers swamped in paperwork, with MGH having to compile detailed reports to submit to the OCR twice yearly for a period of three years.

The fine was so high, not for the number of records that were disclosed – smaller fines have been issued for much larger breaches – but due to the highly sensitive nature of the data and how damaging this could be if it was disclosed.

The data included patient names, dates of birth, medical record numbers, insurance details and medical diagnoses, which in a number of cases included highly infectious diseases such as HIV/AIDS. When OCR investigators looked into the data breach and assessed MGH for compliance with the HIPAA Security Rule, it was discovered that the hospital had failed to implement the appropriate safeguards to protect PHI.

The Security Rule demands that organizations implement administrative, physical and technical safeguards to protect PHI and prevent accidental disclosure. Failure to comply with the Security Rule is a serious violation, and often warrants high fines from the OCR.

A message is also being sent to other healthcare providers that the days of lax enforcement of HIPAA Rules are gone, and it’s time to comply or pay the penalty. This is the second major fine to be issued in short succession, with Cignet receiving a $4.3 million fine for a HIPAA breach it suffered. That fine was announced by the OCR last month, and was the first to be issued for a Privacy Rule violation.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.