Massachusetts General Hospital (MGH) in Boston has agreed to pay the U.S. government $1 million to settle potential violations of the HIPAA Privacy Rule, according to the U.S. Department of Health and Human Services (HHS). This is the second financial penalty issued by HHS for a covered entity’s violations of HIPAA, as a $4.3 million fine was announced earlier this week.

MGH signed a resolution agreement with HHS that requires it to develop and implement a comprehensive set of policies and procedures to safeguard the privacy of its patients. The settlement follows an extensive investigation by the HHS Office for Civil Rights (OCR), which enforces the HIPAA Privacy and Security Rules. The HIPAA Privacy Rule requires health plans, healthcare clearinghouses and most healthcare providers (covered entities) to protect the privacy of patient information through administrative, physical and technical safeguards at all times.

The incident giving rise to the agreement involved the loss of protected health information (PHI) of 192 patients of MGH’s infectious disease associates outpatient practice, including patients with HIV/AIDS. OCR opened its investigation of MGH after a complaint was filed by a patient whose PHI was lost on March 9, 2009.

OCR said its investigation indicated that MGH failed to implement reasonable, appropriate safeguards to protect the privacy of PHI when removed from MGH’s premises and impermissibly disclosed PHI, potentially violating provisions of the HIPAA Privacy Rule.

The impermissible disclosure of PHI involved the loss of documents consisting of a patient schedule containing names and medical record numbers for a group of 192 patients, and billing encounter forms containing the name, date of birth, medical record number, health insurer and policy number, diagnosis and names of providers for 66 of those patients. These documents were lost on March 9, 2009, when an MGH employee, while commuting to work, left the documents on the subway train. The documents were never recovered, HHS reported.

MGH also agreed to enter into a Corrective Action Plan (CAP), which requires the hospital to:

• Develop and implement a comprehensive set of policies and procedures that ensure PHI is protected when removed from its premises;
• Train workforce members on these policies and procedures; and
• Designate the director of internal audit services of Partners HealthCare System to serve as an internal monitor who will conduct assessments of MGH’s compliance with the CAP and render semi-annual reports to HHS for a three-year period.

“We hope the healthcare industry will take a close look at this agreement and recognize that OCR is serious about HIPAA enforcement. It is a covered entity’s responsibility to protect its patients’ health information,” said OCR Director Georgina Verdugo.