The U.S. Department of Health and Human Services’ (“HHS”) Office for Civil Rights (“OCR”) entered into a Resolution Agreement with General Hospital Corporation and Massachusetts General Physicians Organization, Inc., collectively known as Mass General (“Mass General”) to resolve a potential violation of the Privacy Rule of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). Mass General agreed to a resolution amount of $1,000,000 for the loss of patient medical records and agreed to a corrective action plan. The Resolution Agreement was announced by HHS on February 24, 2011. The incident giving rise to the Resolution Agreement occurred in March 2009 when an employee, bringing work home with her, left documents containing protected health information (“PHI”) on a subway train.
Background on Why the Stakes are Raising – CMP Changes
Mass General’s decision to enter into the Resolution Agreement and to negotiate a final resolution amount may have been based in large part on the fact that it would be held to the new violation categories and increased penalty amounts authorized by Section 13410(d) of the Health Information Technology for Economic and Clinical Health Act (“HITECH”).
Prior to HITECH, civil monetary penalties (“CMPs”) for violating HIPAA were $100 per violation, with a cap of $25,000 for all violations of an identical requirement or prohibition during a calendar year. These penalties did not apply if the violator did not know (or by exercising reasonable diligence would not have known) of the violation, or if the failure to comply was due to reasonable cause and was corrected within 30 days.
Effective February 18, 2009, however, HITECH eliminated those exceptions and established new minimum and maximum penalties for HIPAA violations. For the violations that occurred after February 18, 2009, Mass General faced the new and higher penalty structure with a maximum penalty of $50,000 per violation, with a cap of $1,500,000 for all violations of an identical requirement or prohibition during a calendar year. The new minimum CMPs are tiered as follows:
-
$100 per violation, with an annual cap of $25,000, for violations where the person did not know (and by exercising reasonable diligence would not have known) that such person committed a violation;
-
$1,000 per violation, with an annual cap of $100,000, for violations due to reasonable cause and not to willful neglect;
-
$10,000 per violation, with an annual cap of $250,000, for violations due to willful neglect that are corrected within 30 days of the date the person knows (or should have known) that the violation occurred; and
-
$50,000 per violation, with an annual cap of $1,500,000, for violations due to willful neglect that are not corrected within the 30 day period.
What Led to the Settlement?
OCR’s investigation stemmed from a complaint filed by a Mass General patient in March of 2009. The investigation revealed that a Mass General employee removed documents containing Protected Health Information (“PHI”) from the premises for the purpose of working on the documents from home. The documents included billing encounter forms for 66 patients containing patient name, diagnosis, medical record number, provider name and insurance information. The documents also included office schedules containing the names and medical record numbers of 192 patients. While commuting to work on the subway, the Mass General employee removed the documents from her bag and placed them on the seat beside her, ultimately leaving the documents on the train upon her exit. The documents were never recovered.
Upon the completion of its investigation, OCR concluded that Mass General failed to implement reasonable, appropriate safeguards to protect the privacy of PHI removed from Mass General’s premises and impermissibly disclosed PHI potentially violating provisions of the HIPAA Privacy Rule.
In response to OCR’s findings, Mass General entered into a Resolution Agreement with OCR. Under the terms of the Agreement, Mass General agreed to pay $1,000,000 to settle the potential violations and agreed to a corrective action plan. Under the terms of the corrective action plan, Mass General agreed to develop, maintain and revise written policies and procedures governing the physical removal and transport of PHI, laptop encryption and USB drive encryption. Mass General further agreed to train its workers on these policies and procedures and work with an internal monitor to conduct assessments of implementation and compliance with the corrective action plan. The internal monitor is required to report to HHS as to Mass General’s compliance with the corrective action plan on a semi-annual basis for the next three years. The internal monitor is also required to report to HHS any violations by workforce members of Mass General’s new policies and procedures. The appointed monitor is the Director of Internal Audit Services of Partners Healthcare, an affiliate of Mass General.
Practical Take-Aways:
-
Covered entities should take this opportunity to review their policies and procedures as to the safeguarding of PHI that is removed from premises to ensure that they are up-to-date. Specifically, it is recommended that such policies and procedures address how impermissible disclosures and use can be prevented and remedied.
-
Covered entities should also consider adoption of laptop encryption and USB drive encryption. This was a key requirement of Mass General’s corrective action plan. Encryption is an addressable specification under the HIPAA Security Rule. Properly encrypted PHI is not subject to the HIPAA Breach Notification Rule.
-
In this era of increased enforcement, covered entities should ensure that employees are continuously educated on the facility’s policies and procedures regarding the handling and transportation of PHI.
-
If an investigation is initiated by OCR, covered entities and business associates should timely respond to investigation demands to avoid additional penalties and fines.
-
This is just the beginning. HHS has stated it will continue to investigate and take action against those covered entities that knowingly disregard their obligations under the HIPAA Privacy and Security Rules.
The HHS Resolution Agreement and CAP can be found on the OCR website at http://www.hhs.gov/ocr/privacy/hipaa/news/mghnews.html.
If you need additional information about this topic, please contact your regular Hall Render attorney or:
- Kendra Conover at (317) 977-1456
or kconover@wp.hallrender.com - Elizabeth Kurt at (317) 338-3127 or ekurt@wp.hallrender.com
- Elizabeth Callahan-Morris at(248) 457-7854 or ecallahan@wp.hallrender.com
