The Office for Civil Rights (“OCR”) announced in February 2011 a settlement with Massachusetts General Hospital and its physician practice organization Massachusetts General Physicians Organization Inc. (collectively, “MGH”) to settle potential violations of the HIPAA privacy regulations. An MGH employee who worked in the Physician Organization’s Infectious Disease practice took home documents that contained the name, date of birth, medical record number, health insurer and policy number, diagnosis and provider name for 66 patients and the practice’s daily office schedules for three days containing the names and medical record numbers of 192 patients. The documents included information about patients who had AIDS. While commuting to work on the subway, the employee removed the documents, which were not in an envelope and bound by a rubber band, from a bag and placed them on the seat next to her. She left behind the documents when she exited the subway. The documents were never recovered. Collectively, the documents contained the protected health information (“PHI”) of 192 individuals.

Without admitting liability, MGH paid a $1 million fine and, in addition, was required to enter into a three-year corrective action plan (“CAP”), which includes requirements to upgrade MGH’s HIPAA policies and procedures and employee training, restrictions on taking PHI offsite, and appointment of a monitor to evaluate MGH compliance with its policies and procedures and the CAP. MSG is required to make annual reports to the monitor and the monitor is required to make semi-annual reports to HHS.

TIP: This settlement points out the need for covered entities and business associates to evaluate their HIPAA policies and procedures and employee compliance and training to be sure that PHI is safeguarded.