$1 Million Settlement and Corrective Action Plan for Alleged HIPAA Violations by Massachusetts General Hospital

Just days after imposing a $4.3 million dollar — and first ever — civil monetary penalty ("CMP") on a covered entity for HIPAA Privacy Rule violations, the U.S. Department of Health and Human Services Office for Civil Rights ("HHS-OCR") entered into a resolution agreement with Massachusetts General Hospital ("Mass General") to settle allegations that it violated the HIPAA Privacy Rule ("Resolution Agreement"). On February 24, 2011, HHS-OCR announced that Mass General agreed to pay $1,000,000 and implement a correction action plan ("CAP") in order to settle allegations that it violated the HIPAA Privacy Rule after an employee left protected health information ("PHI") on a subway train.

According to the Resolution Agreement, a Mass General employee removed documents containing PHI from the provider’s premises to work on the documents from home. The documents included billing encounter forms (containing patient names, dates of birth, medical record numbers, health insurer and policy numbers, diagnoses and provider names) and daily office schedules (also containing patient names and medical record numbers). In total, the documents included the PHI of 192 individuals. According to HHS-OCR, the documents were bound by a rubber band and were not in an envelope. The employee transporting the documents placed them on the seat next to her and left them on the subway train.

To settle the matter, Mass General agreed to pay HHS-OCR $1,000,000 and enter into and comply with a three-year CAP. Pursuant to the CAP, the provider must:

  • Develop, maintain, and revise written policies and procedures governing (1) physical removal and transport of PHI, (2) laptop encryption, and (3) USB drive encryption, and must submit these policies and procedures to HHS-OCR for review and approval. Interestingly, despite the fact that the alleged violation involved only paper records, and not electronic PHI, the CAP still addressed electronic PHI and imposes data security requirements that, arguably, are not required for all covered entities.
  • Distribute the policies and procedures, and provide training, to workforce members, and prohibit any member of the workforce from removing PHI from the premises if the employee has not both (1) been trained and (2) certified that he or she has been trained.
  • Appoint a monitor to conduct CAP implementation and compliance assessments and report its findings to HHS.
  • Submit a CAP implementation report, including certain attestations regarding Mass General’s compliance with the CAP requirements, and an annual report, describing its compliance with the CAP, including a summary of reportable events (i.e., violations of the CAP).

Notably, the subtitle of HHS-OCR’s press release — "Large Hospital System to Improve Policies and Procedures [for] Safeguarding Patient Information" — suggests that although the CMP itself is tied to the mistake of one employee, HHS-OCR concluded that the provider did not have policies and procedures to adequately protect PHI. Indeed, the focus of HHS-OCR’s statements and CAP requirements are the three main elements of an effective privacy and security compliance program: (1) policies and procedures; (2) workforce training; and (3) assessing and monitoring compliance. The takeaway for covered entities, therefore, is that HHS-OCR is expecting covered entities to have in place effective privacy and security compliance programs to protect PHI, and for these programs to reflect current organizational conduct that may compromise patient information — including, of course, the removal and transport of PHI off premises.

Finally, not only must policies and procedures reflect current law and practice, covered entities must ensure that their workforce is aware of and complies with applicable policies, procedure, and law. Thus, workforce training and monitoring compliance should be done on a routine basis to reduce potential risks and liability for the covered entity.