Hospitals and hospitalists should expect more aggressive enforcement of protected health information regulations following a $1 million settlement paid by Massachusetts General Physicians Organization Inc. over documents on 192 patients left on the subway by a MassGen employee, a top hospitalist says.
The payment – part of an agreement between MassGen and the U.S. Health and Human Services Department over “potential violations” of HIPAA rules – came at the same time as HHS issued its first civil money penalty for violations of the privacy act. The $4.3 million civil money penalty involved Cignet Health Care, a Maryland-based clinic, which HHS found had violated 41 patients' rights by failing to provide them with access to their own medical records.
The two high-dollar enforcement moves by HHS indicate more aggressive enforcement of HIPAA is coming, according to Dr. Chad Whelan, director of the division of hospital medicine at Loyola University Chicago, Maywood.
“Given the large fines and the high-profile institution [MassGen] affected, it sure seems like they are sending a message,” he said in an interview. “I would fully expect more stringent enforcement in the coming years, and we will likely see more payouts.”
To safeguard themselves from violating HIPAA, physicians and hospitals need to take a hard look at their policies regarding electronic storage and transmission of protected health information across multiple electronic devices, especially smartphones and tablet-style electronic devices, Dr. Whelan said.
“The beautiful thing about computers, smartphones, and electronic medical records is that [they make it] amazingly easy to store, access, and share information,” he said.
“The terrifying thing about computers, smartphones, and electronic medical records is that [they make it] amazingly easy to store, access, and share information. Medical centers and hospitalists must be aware of this tension between improving care through information access and sharing and the risk to confidentiality through easier information access and sharing.
“These settlements are the first shot across the bow to all of us that HHS is certainly taking a long, hard look at this balance,” Dr. Whelan said.
Office of Civil Rights director Georgina Verdugo said as much in a statement involving the MassGen settlement.
“We hope the health care industry will take a close look at this agreement and recognize that the OCR is serious about HIPAA enforcement.
“It is a covered entity's responsibility to protect its patients' health information,” Ms. Verdugo said.
The MassGen incident involved hard copies of protected health information from the hospital's Infectious Disease Associates outpatient practice, and included patients with HIV and AIDS, according to HHS.
The documents involved included a patient schedule with names for all of the patients, plus billing encounter forms with identifying information such as name, date of birth, health insurer, and policy number for 66 of the same patients.
A MassGen employee left the documents containing the information on a subway while commuting to work, and the documents were never recovered. One of the patients involved filed a complaint with HHS.
The agency conducted an investigation and found that MassGen had “failed to implement reasonable, appropriate safeguards to protect the privacy of [protected health information] when removed from Mass General's premises and impermissibly disclosed PHI potentially violating provisions of the HIPAA Privacy Rule.”
In response, MassGen said in a statement that it will implement a corrective action plan over the next 3 years designed to enhance protection of protected health information when it is physically removed from the hospital's property for work purposes.
The organization also said it will issue new or revised policies and procedures dealing with laptop encryption and USB drive encryption.
“After these policies and procedures are issued, we will be providing mandatory training on them,” the hospital said. “All members of our workforce must participate in the training and certify that they have completed it.”
It's very unusual for an employee to intentionally violate HIPAA, but it's the inadvertent violations that potentially can cause trouble, according to Dr. Whelan.
“It is far more likely that a well-meaning employee simply forgets the basics of patient protection on a device and then accidentally misplaces the device, leaving it open for anyone with basic computer skills to access,” he said.
Traditional concern has been focused on data stored on portable computer hardware, such as hard drives, CDs, and laptops, he said.
But “with the increased availability of electronic medical records, it will only become easier to have information about patients in portable formats.
With paper, it was difficult to carry records of hundreds of patients around. Now, it is remarkably easy.”