Corporate Compliance

MGH pays $1M and enters into a CAP to settle potential HIPAA violations

Compliance Monitor, March 2, 2011

The General Hospital Corporation and Massachusetts General Physicians Organization, Inc., (Mass General) agreed to pay $1 million to HHS to settle potential violations of the HIPAA Privacy and Security Rules, according to an HHS press release.

In 2009, Mass General lost the protected health information (PHI) of 192 patients when an employee left documents on a subway train. The HHS Office for Civil Rights (OCR), which enforces the HIPAA privacy and security rules, opened an investigation of Mass General after one of the affected patients filed a complaint. The OCR’s investigation determined that Mass General failed to implement reasonable, appropriate safeguards to protect the privacy of PHI when removed from Mass General’s premises.

Mass General also agreed to enter into a corrective action plan (CAP), which requires the hospital to:

  • Develop and implement a comprehensive set of policies and procedures that ensure PHI is protected when removed from Mass General’s premises
  • Train workforce members on these policies and procedures
  • Designate the director of internal audit services of Partners HealthCare System Inc. to serve as an internal monitor who will conduct assessments of Mass General’s compliance with the CAP and render semiannual reports to HHS for three years

Most Popular