HHS penalizes again for gap in HIPAA policies; more enforcement to come

Published: 2011-03-23 10:46:32
Author: Norbert F. Kugel

  For the second time this year, the Department of Health & Human Services has penalized a health care organization for failing to adhere to HIPAA. This most recent incident, coupled with comments from HHS officials, indicate that failing to have thorough HIPAA policies and procedures may cost you.



The Department of Health & Human Services has announced a $1 million settlement with Massachusetts General Hospital for failure to have policies and procedures governing the removal of patient health information from the hospital. We also recently reported on a $3.5 million HIPAA enforcement action against Cignet Health for failing to grant patients access to their records. More details about the Cignet case are available here (see full article for link).


In the Massachusetts General case, the HHS alleged that a hospital employee took home records at the end of the day to work on them at home. The employee left the records on a subway train the next morning and they were never recovered. The records contained names of patients, birth dates, medical record numbers, health insurers and policy numbers, diagnoses and names of health care providers.