HIPAA enforcement is amping up and the penalties can be very costly. In a February press release from the US Department of Health & Human Services, the Organization announced that Massachusetts General Hospital has agreed to pay the U.S. government $1,000,000 to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule.
Mass General, one of the nation’s oldest and largest hospitals, signed a Resolution Agreement with HHS that requires it to develop and implement a comprehensive set of policies and procedures to safeguard the privacy of its patients. The settlement follows an extensive investigation by the HHS Office for Civil Rights (OCR), which enforces the HIPAA Privacy and Security Rules. The HIPAA Privacy Rule requires health plans, health care clearinghouses and most health care providers (covered entities) to protect the privacy of patient information through administrative, physical and technical safeguards at all times.
The incident giving rise to the agreement involved the loss of protected health information (PHI) of 192 patients of Mass General’s Infectious Disease Associates outpatient practice, including patients with HIV/AIDS. OCR opened its investigation of Mass General after a complaint was filed by a patient whose PHI was lost on March 9, 2009. OCR’s investigation indicated that Mass General failed to implement reasonable, appropriate safeguards to protect the privacy of PHI when removed from Mass General’s premises and impermissibly disclosed PHI potentially violating provisions of the HIPAA Privacy Rule.
The documents were lost on March 9, 2009, when a Mass General employee, while commuting to work, left the documents on the subway train that were never recovered.
OCR Director Georgina Verdugo suggested, “To avoid enforcement penalties, covered entities must ensure they are always in compliance with the HIPAA. A robust compliance program includes employee training, vigilant implementation of policies and procedures, regular internal audits, and a prompt action plan to respond to incidents.”
Setting up service with an on-site shredding service is a key component of ensuring top level HIPAA compliance. For more information, please visit www.hvshred.com