Documents left on subway led to $1 million in fines

A large hospital system in Massachusetts has agreed to pay $1 million in fines and improve its policies and procedures after an employee left patient information on a subway.

The General Hospital Corp. and Massachusetts General Physicians Organization (known collectively as Mass General) have agreed to the penalty and corrective action plan (CAP) to settle potential HIPAA violations, the Department of Health and Human Services (HHS) announced.

Mass General, one of the nation's oldest and largest hospitals, signed a Resolution Agreement with HHS that requires it to develop and implement a comprehensive set of policies and procedures to safeguard the privacy of its patients. The settlement follows an extensive investigation by the HHS Office for Civil Rights (OCR), which enforces HIPAA, said OCR Director Georgina Verdugo, JD, LLM, MPA.

"We hope the health care industry will take a close look at this agreement and recognize that OCR is serious about HIPAA enforcement," Verdugo said. "It is a covered entity's responsibility to protect its patients' health information."

The incident giving rise to the agreement involved the loss of protected health information (PHI) of 192 patients of Mass General's Infectious Disease Associates outpatient practice, including patients with HIV/AIDS. OCR opened its investigation of Mass General after a complaint was filed by a patient whose PHI was lost on March 9, 2009.

OCR's investigation indicated that Mass General failed to implement reasonable, appropriate safeguards to protect the privacy of PHI when removed from Mass General's premises and impermissibly disclosed PHI, potentially violating provisions of HIPAA.

The impermissible disclosure of PHI involved the loss of documents consisting of a patient schedule containing names and medical record numbers for 192 patients, and billing encounter forms containing the name, date of birth, medical record number, health insurer and policy number, diagnosis, and name of providers for 66 of those patients. These documents were lost on March 9, 2009, when a Mass General employee, while commuting to work, left the documents on the subway train that never were recovered, according to the HHS investigation.

Details of corrective action plan

Mass General also agreed to enter into a CAP that requires the hospital to:

• develop and implement a comprehensive set of policies and procedures that ensure PHI is protected when removed from Mass General's premises;

• train workforce members on these policies and procedures;

• designate the director of internal audit services of Partners HealthCare System to serve as an internal monitor who will conduct assessments of Mass General's compliance with the CAP and render semi-annual reports to HHS for a three-year period.