Even More Important HIPAA Penalty News!
Twenty-four hours after issuing the first the Health Insurance Portability and Accountability Act (HIPAA) civil monetary penalty-the Health and Human Services (HHS) announced another large penalty, a $1 million penalty against The General Hospital Corporation and Massachusetts General Physicians Organization, Inc. (Mass General), related to violations of the HIPAA Privacy Rule provisions requiring reasonable and appropriate safeguards for HIPAA-protected information. This case is perhaps more significant than the Cignet penalty (discussed in the previous article), as the Mass General case relates to events that are much more likely to happen for the average covered entity-i.e., sloppy security practices that led to the loss of information. HIPAA-covered entities should use this latest action as an incentive to review their overall security programs, both for electronic information and for "low-tech" risks related to paper documents.
The Mass General resolution agreement (which means that this was a negotiated settlement rather than the issuance of a civil monetary penalty imposed through the formal enforcement process) appears to have been based on a single incident involving medical records for 192 patients. These records related to an outpatient clinic for infectious diseases, meaning that some of the patients had HIV/AIDS. It is not clear whether the extent of the penalty related in any way to the sensitivity of these particular records.
As discussed in the HHS press release and related materials, the documents were lost by a Mass General employee who took the documents home to work with them, but then left them on a subway train, apparently by accident. Following an investigation (after a patient complaint), HHS found that Mass General had failed to implement reasonable and appropriate safeguards to protect the privacy of this information. This was a violation of the Privacy Rule-rather than the Security Rule-because this loss involved paper records rather than electronic information. There is nothing in the public documents to indicate that any specific individual suffered damage as a result of this information loss.
As a result of the HHS/Office for Civil Rights (OCR) investigation, Mass General agreed to the $1 million fine. It also agreed to a Corrective Action Plan that includes a variety of detailed requirements. Some of these requirements seem merely to restate general HIPAA obligations, including the obligations to:
- Develop and implement a comprehensive set of policies and procedures that ensure that personal health information is protected when removed from Mass General's premises; and
- Train workforce members on these policies and procedures.
In addition, HHS required an "internal monitor" to conduct compliance assessments and provide semi-annual reports to HHS for three years. This idea of a monitor is common in many privacy settlements (including Federal Trade Commission (FTC) settlements, although many FTC settlements require monitoring and reports for a longer period of time).
It is still too soon to tell whether the Cignet and Mass General penalties reflect simply a coincidence in the resolution of some ongoing investigations, or indicate a more aggressive overall enforcement attitude by the OCR related to HIPAA enforcement. The lessons learned from the Cignet case are limited, because Cignet's overall practices and response to the investigation seem so out of line with industry practices. The Mass General incident, while clearly arising from sloppy practices, reflects something that is much more likely to affect a broader range of participants in the health care industry. The penalty amount also is substantial, particularly for what appears to be an isolated incident (although one can assume that Mass General's policies were not substantial in this area).
Regardless of the signals being sent by HHS OCR through these penalties, covered entities should be certain to review their overall security practices, involving both paper and electronic information, to ensure that their general security practices are appropriate. In addition, it is clear that employees need to be trained and reminded of their obligations to protect patient information and of the risks associated with casual protection of this information, even for a single incident.