Mass General and HIPAA, or The medical records that never returned

OCR announced today that Massachusetts General Hospital settled a HIPAA violation claim, without admitting liability, for $1 million and an agreement to revamp procedures for taking patient records off premises.  The case involved a stack of paper records left on the T (Boston’s subway) consisting of protected health information for a couple hundred patients, including patients on the HIV service.  (As an aside, HIV records are subject to super-deluxe Rube Goldberg-esque privacy protections in Massachusetts — they need to be flagged so that patients can sign an additional release before they are shared, since even the fact of testing is private, though in my humble opinion the flagging vitiates some of the privacy we want to afford these records).

For those of you keeping score at home, $1 million seems serious, but not Very Serious, like yesterday’s news of the $4.3 million civil monetary penalty assessed by OCR against Cignet Health in Maryland.

As I wrote yesterday, the Cignet CMP is more important as a warning to the community of covered entities that they had better take obligations under HIPAA seriously than as an action against Cignet, which appears to be spectacularly unresponsive to this and other government actions; it seems unlikely that the federales will ever collect the full $4.3 million.  The world is now on notice that OCR is not afraid to pull the trigger on $1.5 million CMP per willful violation.

The MGH settlement, however, seems to me to be more important than the Cignet case.

MGH, home of the Ether Dome and all that, has agreed, in a Resolution Agreement and Corrective Action Plan that it will develop, and submit to OCR for review and approval, policies and procedures governing physical removal and transport of PHI, and laptop and USB drive encryption, that would have addressed the incident on the T.  Policies and procedures must be distributed to the MGH workforce, training conducted for current and new employees, and any violation and remediation must be reported.  In the time-honored tradition of fighting the last war, special attention is paid to the removal of PHI from the premises.  No member of the workforce may remove PHI from the MGH premises other than for MGH work purposes, and not unless MGH certifies that he or she has received the requisite training on these policies and procedures, and reasonable and appropriate measures are taken to maintain the privacy of PHI taken off site.  MGH’s internal audit department will function as the monitor for this plan, subject to OCR review and approval of a monitoring plan (which is to provide for interviews of workforce members and surprise inspections) and regular reports.

It is fascinating to me — and possibly a wake-up call to folks concerned about loss of privacy due to digitization of health records — that in this digital age, an age of lost laptops and stolen hard drives, an institution at the heart of Boston’s identity as a medical Mecca is tripped up by carelessness with paper records.  Mass General paid $1 million to settle accounts with OCR — a far cry from the nickel Charlie needed to get off the MTA.  It seems to me that both MGH and the rest of us ought to have learned to take better care of PHI by now.  Perhaps this case will move folks a little further in the right direction.

David Harlow
The Harlow Group LLC
Health Care Law and Consulting