Massachusetts General Hospital was fined $1 million for violating the Health Insurance Portability and Accountability Act (HIPAA). It is the second ever fine imposed on a health care organization by the US Department of Health and Human Services ever since HIPAA went into effect in 2003.
"We hope the health care industry will take a close look at this agreement and recognize that OCR is serious about HIPAA enforcement," Georgina Verdugo, the director of the agency's Office for Civil Rights, said on Feb. 24.
The steep fines should make organizations think twice about skimping on HIPPA compliance, wrote Chester Wisniewski, a Sophos senior security advisor, wrote on the NakedSecurity blog. A doctor once told Wisniewski, "When they start putting doctors in jail, I'll worry about encrypting my records."
Mass General lost the medical records for 192 patients when a hospital employee accidentally left the documents on the subway in March 2009. The patients were part of the hospital's Infectious Disease Associates outpatient practice and may have included patients with HIV/AIDS. The misplaced documents included a patient schedule containing names and medical records numbers, as well as billing forms containing names, dates of birth, diagnoses, and insurance policy information.
The subsequent investigation into the breach revealed the hospital had failed to implement "reasonable, appropriate safeguards" to protect patient privacy when removed from premises. As part of its settlement with HHS, the hospital has to designate a director of internal audit to assess compliance and report to HHS about its results for the next three years.
The first fine was imposed on Cignet Health, for not providing records in a timely manner. The $4.3 million penalty was not for a data cooperating with an investigation.
Cignet, which operates two clinics in Maryland, refused to provide records to 41 patients when they asked, and also did not comply to OCR's request. OCR imposed the fine for the company's "willful neglect" in cooperating with the OCR for nearly 13 months. Cignet also did not help matters when complying with a subpoena, the health center provided 59 boxes of medical records belonging to over 4,500 patients, and not just the 41 patients being requested.
"Covered entities and business associates must uphold their responsibility to provide patients with access to their medical records, and adhere closely to all of HIPAA's requirements," Verdugo said.
While the compromised records in both cases were physical, and not electronic, the law doesn't differentiate between the two, said Wisniewski.