On February 24, 2011, the Department of Health and Human Services Office of Civil Rights (“OCR”) announced a $1,000,000 Resolution Agreement with the General Hospital Corporation and Massachusetts General Physicians Organization Inc. (“Mass General”) that stemmed from the loss of protected health information (“PHI”) of 192 patients. A Mass General employee had left hard-copy records containing PHI on the subway in March 2009. The records originated from Mass General’s Infectious Disease Associates outpatient practice and included sensitive records discussing patients’ treatments for HIV/AIDS. After receiving a complaint from an affected patient, OCR conducted an investigation that demonstrated that Mass General had “failed to implement reasonable, appropriate safeguards to protect the privacy of PHI when removed from Mass General’s premises and impermissibly disclosed PHI potentially violating provisions of the HIPAA Privacy Rule.”

As part of the Resolution Agreement, Mass General will pay $1,000,000 to settle the potential HIPAA violations and enter into a Corrective Action Plan that will require Mass General to:

  • develop and implement a set of policies and procedures to ensure PHI is protected when it is removed from Mass General;
  • train employees on the policies and procedures; and
  • designate an internal monitor to conduct assessments of Mass General’s compliance with the Corrective Action Plan and provide semi-annual reports to OCR for three years.

The Mass General Resolution Agreement is the second major HIPAA enforcement action taken by OCR in the past week. On February 22, 2011, OCR announced a $4.3 million civil penalty against Cignet Health for violations of the HIPAA Privacy Rule. In announcing the Mass General Resolution Agreement, Georgina Verdugo, the Director of OCR, stated: “We hope the health care industry will take a close look at this agreement and recognize that OCR is serious about HIPAA enforcement. It is a covered entity’s responsibility to protect its patients’ health information.” By levying more civil penalties for HIPAA violations in the past week than the combined amount of fines levied in the Enforcement Rule’s five-year history before last week, it is clear that OCR is seeking to erase any possible doubts about its seriousness in enforcing HIPAA’s privacy and data security requirements.