Just as gasps from the 4.3 million dollar penalty OCR assessed against Cignet Health of Maryland started to subside, OCR delivers a whopping 1 million dollar penalty to another hospital -- this time to the The General Hospital Corporation and Massachusetts General Physicians Organization Inc. (aka, "Mass General").
The HHS Press Release indicates that Mass General has agreed to pay the U.S. government $1,000,000 to settle potential violations of the HIPAA Privacy Rule. Mass General signed a Resolution Agreement with HHS on February 14, 2011, which you can review here. After announcing the Settlement Agreement, OCR Director Georgina Verdugo made this official statement:
We hope the health care industry will take a close look at this agreement and recognize that OCR is serious about HIPAA enforcement. It is a covered entity’s responsibility to protect its patients’ health information
The issue came to the attention of OCR when a patient filed a complaint after PHI involving 192 patients of Mass General’s Infectious Disease Associates outpatient practice, including patients with HIV/AIDS, was lost on March 9, 2009. The impermissible disclosures of PHI involved the loss of documents consisting of a patient schedule containing names and medical record numbers for a group of 192 patients, and billing encounter forms containing the name, date of birth, medical record number, health insurer and policy number, diagnosis and name of providers for 66 of those patients. Documents containing the PHI were lost when Mass General employee left the documents on the subway train that were never recovered.
The Corrective Action Plan (CAP) requires that the hospital:
- Develop and implement a comprehensive set of policies and procedures that ensure PHI is protected when removed from Mass General’s premises;
- Train workforce members on these policies and procedures; and
- Designate the Director of Internal Audit Services to serve as an internal monitor who will conduct assessments of Mass General’s compliance with the CAP and render semi-annual reports to HHS for a 3-year period.
The OCR Director also added:
To avoid enforcement penalties, covered entities must ensure they are always in compliance with the HIPAA Privacy and Security Rules . . . A robust compliance program includes employee training, vigilant implementation of policies and procedures, regular internal audits, and a prompt action plan to respond to incidents.