HealthBlawg

David Harlow's Health Care Law Blog

  • About
  • Archives
  • Podcast
  • Press
  • Awards/Reviews
  • HIPAA
  • HCSM

Mass General and HIPAA, or The medical records that never returned

February 24, 2011

OCR announced today that Massachusetts General Hospital settled a HIPAA violation claim, without admitting liability, for $1 million and an agreement to revamp procedures for taking patient records off premises.  The case involved a stack of paper records left on the T (Boston’s subway) consisting of protected health information for a couple hundred patients, including patients on the HIV service.  (As an aside, HIV records are subject to super-deluxe Rube Goldberg-esque privacy protections in Massachusetts — they need to be flagged so that patients can sign an additional release before they are shared, since even the fact of testing is private, though in my humble opinion the flagging vitiates some of the privacy we want to afford these records).

For those of you keeping score at home, $1 million seems serious, but not Very Serious, like yesterday’s news of the $4.3 million civil monetary penalty assessed by OCR against Cignet Health in Maryland.

As I wrote yesterday, the Cignet CMP is more important as a warning to the community of covered entities that they had better take obligations under HIPAA seriously than as an action against Cignet, which appears to be spectacularly unresponsive to this and other government actions; it seems unlikely that the federales will ever collect the full $4.3 million.  The world is now on notice that OCR is not afraid to pull the trigger on $1.5 million CMP per willful violation.

The MGH settlement, however, seems to me to be more important than the Cignet case.

MGH, home of the Ether Dome and all that, has agreed, in a Resolution Agreement and Corrective Action Plan that it will develop, and submit to OCR for review and approval, policies and procedures governing physical removal and transport of PHI, and laptop and USB drive encryption, that would have addressed the incident on the T.  Policies and procedures must be distributed to the MGH workforce, training conducted for current and new employees, and any violation and remediation must be reported.  In the time-honored tradition of fighting the last war, special attention is paid to the removal of PHI from the premises.  No member of the workforce may remove PHI from the MGH premises other than for MGH work purposes, and not unless MGH certifies that he or she has received the requisite training on these policies and procedures, and reasonable and appropriate measures are taken to maintain the privacy of PHI taken off site.  MGH’s internal audit department will function as the monitor for this plan, subject to OCR review and approval of a monitoring plan (which is to provide for interviews of workforce members and surprise inspections) and regular reports.

It is fascinating to me — and possibly a wake-up call to folks concerned about loss of privacy due to digitization of health records — that in this digital age, an age of lost laptops and stolen hard drives, an institution at the heart of Boston’s identity as a medical Mecca is tripped up by carelessness with paper records.  Mass General paid $1 million to settle accounts with OCR — a far cry from the nickel Charlie needed to get off the MTA.  It seems to me that both MGH and the rest of us ought to have learned to take better care of PHI by now.  Perhaps this case will move folks a little further in the right direction.

David Harlow
The Harlow Group LLC
Health Care Law and Consulting

 

Related Posts

  • Medical Groups Need to Focus on HIPAA Compliance

    Why is it time for a HIPAA reality check? Because (1) Data breaches are a…

  • Pan Mass Challenge 2015

    [View the story "Pan Mass Challenge 2015" on Storify] David Harlow The Harlow Group LLC…

  • Medical apologies radio show

    There was a terrific edition of Radio Boston on medical apologies on WBUR, NPR's Boston…

Filed Under: Health care policy, Health Law, HIPAA, Hospitals, Massachusetts, Physicians, Privacy

« David Harlow interviewed on Social Media for Health Care
Vote for HealthBlawg! Read Blawg Review #300 and then join the battle … on my side »

Threads

Follow me on: Threads

Mastodon

Follow me on: Mastodon

HIPAAtools

Hipaatools

The HIPAA Compliance Toolkit

The Walking Gallery

The Walking Gallery

Quick Links

  • Home
  • Categories
  • Archives
  • Podcast Interviews
  • HIPAAtools
  • HIPAA Compliance
  • Health Care Social Media
  • Speaking
  • In the Press
  • Blogroll

David Harlow

David Harlow

HealthcareNOW Radio

  • Subscribe
  • Contact
  • Book Me: Speaking
  • About
  • The Harlow Group LLC
Copyright © 2006–2025
HealthBlawg is a publication of The Harlow Group LLC. See Copyright notice and disclaimer.
Fair use with attribution and a link is encouraged. Click for more on David Harlow.
[footer_backtotop text="Back to top" href="#"]