$1 Million HIPAA Settlement Announced
HEALTHCARE PRIVACY—U.S.February 25, 2011
HealthLeaders Media reports on a settlement by a Massachusetts-based hospital for alleged HIPAA violations. Massachusetts General Hospital and Department of Health and Human Services Office of Civil Rights (OCR) officials announced yesterday that the hospital has agreed to pay $1 million to settle allegations that an employee's loss of information on about 192 patients of the hospital's Infectious Disease Associates on a subway was a potential HIPAA violation. "We hope the healthcare industry will take a close look at this agreement and recognize that OCR is serious about HIPAA enforcement," said OCR Director Georgina Verdugo. "It is a covered entity's responsibility to protect its patients' health information." The hospital has also agreed to create comprehensive policies to protect patient privacy. "While it's too early to tell if this is a significant change in overall enforcement policy, this latest resolution agreement is an important development because there was nothing anywhere near as egregious as in the Cignet case," Kirk Nahra, CIPP, of Wiley Rein LLC told the Daily Dashboard. "Here, we had a single incident of sloppy security practices. HIPAA-covered entities should use this as a reminder to revisit their overall security program, particularly for 'low-tech' issues like control of paper records."