Educause Security Discussion mailing list archives

Re: $1m fine for lost documents

From: Allison F Dolan <adolan () MIT EDU>
Date: Fri, 4 Mar 2011 09:18:10 -0500

Yes, the Cignet fine was much bigger, however, they also failed to cooperate and generally behaved in a way that didn't 
endear them to the regulators.  The MGH situation was more like 'there, but for the grace of God, go I'....

Allison Dolan
________________________________________
From: The EDUCAUSE Security Constituent Group Listserv [SECURITY () listserv educause edu] On Behalf Of John Ladwig 
[John.Ladwig () CSU MNSCU EDU]
Sent: Friday, March 04, 2011 6:09 AM
To: SECURITY () listserv educause edu
Subject: Re: [SECURITY] $1m fine for  lost documents

And that's not the big enforcement fine of $4.3M in recent news:

  http://blogs.healthcareinfosecurity.com/posts.php?postID=896

  "In the willful neglect case, Cignet Health was slapped with a $4.3 million civil monetary penalty, the first of its 
kind, for violations of the HIPAA privacy rule, including failure to cooperate with investigators, according to the 
Department of Health and Human Services.

  The group of four clinics in Maryland failed to provide 41 patients with access to their medical records. Then Cignet 
failed to cooperate with HHS Office for Civil Rights investigations from March 2009 to April 2010, constituting willful 
neglect, according to HHS. "

Not a security/data protection incident per se, but still noteworthy in terms of the evolving noncompliance penalty 
environment.

    -jml

Allison F Dolan <adolan () MIT EDU> 2011-03-03 09:17 >>>

In case this recent judgment might be a useful example to encourage action, especially those institutions with medical 
facilities
Allison Dolan
MGH to Pay $1M to Settle 'Potential' HIPAA Violation
Cheryl Clark, for HealthLeaders Media , February 24, 2011

Massachusetts General Hospital has agreed to pay $1 million to settle  allegations it violated patient privacy laws 
when a hospital employee lost protected patient medical information on a subway in March, 2009, federal and hospital 
officials announced Thursday.

The loss was said to be a "potential violation" of the Health Insurance Portability and Accountability Act of 1996, 
according to the Department of Health and Human Services.
Mass General signed a "resolution agreement" that requires it to develop and implement a comprehensive set of policies 
and procedures to safeguard patient privacy.

In a statement, MGH privacy officer Deborah Adair said the hospital will issue new or revised policies and procedures 
with respect to physical removal and transport of protected health information from hospital premises, laptop 
encryption, and USB drive encryption.
"After these policies and procedures are issued, we will be providing mandatory training on them," and all members of 
the workforce will have to complete that training, she said.

Georgina Verdugo, director of the federal Office for Civil Rights (OCR), said "We hope the health care industry will 
take a close look at this agreement and recognize that OCR is serious about HIPAA enforcement. It is a covered entity's 
responsibility to protect its patients' health information."

According to an HHS statement<http://www.hhs.gov/ocr/privacy/hipaa/news/mghnews.html>, the incident involved protected 
health information for 192 patients treated by the hospital's Infectious Disease Associates outpatient practice, and 
included patients with HIV/AIDS. An investigation ensued after a patient whose records were lost on March 9 filed a 
complaint. Billing encounter forms containing the name, date of birth, medical record number, health insurer and policy 
number, diagnosis, and names of providers for 66 of those patients.

The documents were lost when a Mass General employee, while commuting to work, left the documents on the subway. The 
records have not been recovered.

That investigation "indicated that Mass General failed to implement reasonable, appropriate safeguards to protect the 
privacy of protected health information when removed from Mass General's premises and impermissibly disclosed protected 
health information potentially violating provisions of the HIPAA Privacy Rule," the HHS statement said.

The correction plan also directs the hospital's Director of Internal Audit Services of Partners HealthCare System Inc. 
to serve as an internal monitor that will conduct assessments of Mass General's compliance with the corrective action 
plan and render semi-annual reports to HHS for a 3-year period."

Current thread:

$1m fine for lost documents Allison F Dolan (Mar 03)
- Re: $1m fine for lost documents John Ladwig (Mar 04)
  - Re: $1m fine for lost documents Allison F Dolan (Mar 04)
  - Wiping of data on large storage arrays Jones, Dan (Mar 18)
    - Re: Wiping of data on large storage arrays SCHALIP, MICHAEL (Mar 18)