The Health and Human Services Department settled potential privacy violations with Massachusetts General Hospital, which agreed to pay the U.S. government $1 million and establish more stringent policies and procedures to safeguard the privacy of its patients.

The settlement with the General Hospital Corp. and Massachusetts General Physicians Organizations Inc., the formal name of one of the nation's oldest and largest hospitals, came as the result of an investigation by HHS' Office of Civil Rights, which enforces the privacy and security rules of the Health Insurance Portability and Accountability Act (HIPAA).  

The HIPAA enforcement announcement Feb. 24 follows one two days earlier in which OCR said it imposed its first civil penalty under HIPAA against Cignet Health in Temple Hills, Md., for $4.3 million.

[See also: Cignet fined $4.3M for violating HIPAA Privacy Rule.]

According to the resolution document, the violations are termed "potential" because Mass General agreed to the settlement without admitting wrongdoing or liability. Likewise, a settlement does not mean that HHS has conceded that fact that it believes the hospital violated the privacy rule.

The incident that fueled the OCR investigation of Mass General in 2009 involved the loss of sensitive health information of 192 patients, including those with HIV/AIDS, of Mass General's Infectious Disease Associates outpatient practice, according to Georgina Verdugo, OCR director. One of those patients whose information was lost filed a complaint with OCR.

The lost documents consisted of a patient schedule containing names and medical record numbers for a group of 192 patients, and billing encounter forms containing the name, date of birth, medical record number, health insurer and policy number, diagnosis and name of providers for 66 of those patients.

A Mass General employee left the documents on the subway train while commuting to work, and they were never recovered, OCR said.

The investigation found that Mass General failed to establish reasonable and appropriate safeguards to protect the privacy of the sensitive information when it was removed from the hospital's premises and was disclosed without permission, potentially violating provisions of the HIPAA privacy rule, Verdugo said.

[See also: Experts guide HIMSS attendees through the privacy maze.]

The HIPAA privacy rule requires that covered entities, such as healthcare providers and health plans, protect the privacy of patient information through administrative, physical and technical safeguards at all times, she said.

"We hope the healthcare industry will take a close look at this agreement and recognize that OCR is serious about HIPAA enforcement," Verdugo said in the announcement.

Mass General agreed to establish a set of comprehensive set of policies and procedures to assure that sensitive information is safeguarded when it leaves Mass General's premises and to train their employees on the more stringent practices.

The provider also will designate the chief internal auditor of Partners HealthCare System Inc. to serve as an internal monitor, who will assess Mass General's compliance with the corrective action plan and report to HHS every six months over three years.