Hat-tip to investigative reporter Tom Mashberg, who’s working on this story, for pointing this out:
The federal Department of Health and Human Services reports here that Massachusetts General Hospital has agreed to pay $1 million to settle claims that it violated patient privacy rules. The department’s dry summary:
“The incident giving rise to the agreement involved the loss of protected health information (PHI) of 192 patients of Mass General’s Infectious Disease Associates outpatient practice, including patients with HIV/AIDS.”
To which must be added: Those records were lost on the Red Line, and never recovered. The account in the settlement posted here offers some painful details:
(1) On March 6, 2009, an MOH employee removed from the MGH premises documents containing protected health information (“PHI”). The MGH employee removed the PHI from the MGH premises for the purpose of working on the documents from home. The documents consisted of billing encounter forms containing the name, date of birth, medical record number, health insurer and policy number, diagnosis and name of provider of66 patients and the practice’s daily office schedules for three days containing the names and medical record numbers of 192 patients.
(2) On March 9, 2009, while commuting to work on the subway, the MGH employee removed the documents contalning PHI from her bag and placed them on the seat beside her. The documents were not in an envelope and were bound with a rubber band. Upon exiting the train, the \1GH employee left the documents on the subway train and they were never recovered. These documents contained the PHI of 192 individuals.
The $1 million settlement agreement specifies that it does not constitute an admission of guilt by Mass. General. The hospital does agree to put in an extensive “corrective action plan” to improve privacy protections.
OCR opened its investigation of Mass General after a complaint was filed by a patient whose PHI was lost on March 9, 2009. OCR’s investigation indicated that Mass General failed to implement reasonable, appropriate safeguards to protect the privacy of PHI when removed from Mass General’s premises and impermissibly disclosed PHI potentially violating provisions of the HIPAA Privacy Rule.
The breach of privacy is the subject of a lawsuit on behalf of at least 20 of the patients whose records were lost, according to attorneys John Yasi and Robert F. Mazow of Salem.
Mass. General sent over this statement:
Regarding Settlement Agreement with US Dept. of Health and Human Services
Massachusetts General Hospital and the Massachusetts General Physicians Organization have entered into a settlement agreement with the U.S. Department of Health and Human Services (HHS) Office for Civil Rights related to the loss, in March 2009, of MGH patient encounter billing forms and schedules containing protected health information (PHI) on a Red Line subway train. Under the agreement with HHS, MGH has agreed to implement a corrective action plan during the next three years to enhance protection of PHI when it is physically removed from MGH premises for work purposes. In addition, we agreed to pay $1 million to HHS as part of the settlement.
MGH will be issuing new or revised policies and procedures with respect to (1) physical removal and transport of PHI from MGH premises; (2) laptop encryption; and (3) USB drive encryption. After these policies and procedures are issued, we will be providing mandatory training on them. All members of our workforce must participate in the training and certify that they have completed it.
We look forward to taking these steps to further our continuing efforts to protect the privacy and security of our patients’ health information.