Hat-tip to investigative reporter Tom Mashberg, who’s working on this story, for pointing this out:
The federal Department of Health and Human Services reports here that Massachusetts General Hospital has agreed to pay $1 million to settle claims that it violated patient privacy rules. The department’s dry summary:
“The incident giving rise to the agreement involved the loss of protected health information (PHI) of 192 patients of Mass General’s Infectious Disease Associates outpatient practice, including patients with HIV/AIDS.”
To which must be added: Those records were lost on the Red Line, and never recovered. The account in the settlement posted here offers some painful details:
(1) On March 6, 2009, an MOH employee removed from the MGH premises documents containing protected health information (“PHI”). The MGH employee removed the PHI from the MGH premises for the purpose of working on the documents from home. The documents consisted of billing encounter forms containing the name, date of birth, medical record number, health insurer and policy number, diagnosis and name of provider of66 patients and the practice’s daily office schedules for three days containing the names and medical record numbers of 192 patients.
(2) On March 9, 2009, while commuting to work on the subway, the MGH employee removed the documents contalning PHI from her bag and placed them on the seat beside her. The documents were not in an envelope and were bound with a rubber band. Upon exiting the train, the \1GH employee left the documents on the subway train and they were never recovered. These documents contained the PHI of 192 individuals.
The $1 million settlement agreement specifies that it does not constitute an admission of guilt by Mass. General. The hospital does agree to put in an extensive “corrective action plan” to improve privacy protections. Continue reading