In another show of force in HIPAA enforcement, the federal Office of Civil Rights of the Department of Health and Human Services (OCR) announced a $1 million settlement with the General Hospital Corporation and Massachusetts General Physician Organization (MGH) related to an alleged HIPAA violation. According to the Resolution Agreement the incident occurred when an MGH employee took documents containing protected health information off the MGH premises in 2009 in order to work on those documents from home. The information included billing encounter forms that contained patient names, dates of birth, medical record numbers, diagnosis information and other protected health information regarding 192 individuals. The OCR stated that the information contained data related to patients with HIV/AIDS. The employee left the documents on the seat next to her and exited the train. The documents were never recovered.

As part of the Resolution Agreement, MGH agreed to pay $1 million. It also agreed to enter into a 3 year corrective action plan (CAP). The CAP requires MGH to to develop comprehensive HIPAA policies related to removal of data from MGH's premises and train workforce members on those policies. It also designates the hospital system's director of internal audit services to establish a formal monitoring plan to assess compliance with the CAP. The monitor is required to conduct site visits at MGH locations, inspect laptops and USB flash drives for compliance, and report issues to HHS. MGH admitted no liability or wrongdoing in the Resolution Agreement.

This announcement came just days after the OCR announced a $4.3 million civil money penalty on Cignet for HIPAA violations and further demonstrates the government's commitment to HIPAA enforcement. OCR Director Georgina Verdugo stated, "To avoid enforcement penalties, covered entities must ensure they are always in compliance with the HIPAA Privacy and Security Rules. A robust compliance program includes employee training, vigilant implementation of policies and procedures, regular internal audits, and a prompt action plan to respond to incidents."

To see the Resolution Agreement, visit:  

To see the OCR press release, visit: