Massachusetts General Hospital has signed an agreement with the Department of Health and Human Services' Office for Civil Rights to pay a $1 million "resolution" fine and implement a corrective action plan following a breach of protected health information.

OCR's action is the second major finding against a health care organization in recent days for privacy rule violations (see story). A Massachusetts General employee in March 2009 left on a subway train records for 192 patients of an infectious disease outpatient practice. Information in the records included name and medical record number for all affected patients, as well as date of birth, medical insurer and policy number, diagnosis and provider names for 66 of the patients.

As part of the corrective action plan, Massachusetts General will submit semi-annual reports to OCR for three years. "We hope the health care industry will take a close look at this agreement and recognize that OCR is serious about HIPAA enforcement," OCR Director Georgina Verdugo said in a statement.

The resolution agreement and corrective action plan are available here.

--Joseph Goedert


Register or login for access to this item and much more

All Health Data Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access