HHS levied the fine on Mass General for a data breach involving the loss of documents containing names and medical record numbers of 192 patients at the hospital’s Infectious Disease Associates practice, as well as billing forms that included names, dates of birth, medical record numbers, health insurers and policy numbers, diagnosis, and names of provider for 66 of those patients. The practice treats patients with HIV/AIDS, as well as other infectious diseases.
According to HHS, the documents, which were not recovered, were left by a Mass General employee on the subway on March 9, 2009.
The HIPAA privacy rule requires health care providers to protect the privacy of patient information through administrative, physical and technical safeguards, HHS said.
In addition, Mass General agreed to take actions to prevent future data breaches, including implementing a set of policies and procedures regarding information that is removed from the hospital’s premises, training personnel on these policies and procedures, and designating the hospital’s director of internal audit services to serve as an internal monitor to assess the hospital’s HIPAA compliance and produce semi-annual compliance reports to HHS for three years.