HIPAA Handbooks

  • Privacy and security training for new and seasoned staff
  • 11 staff/setting focus areas
  • Education on protecting PHI
  • New HITECH Act changes
  • Discounts on bulk purchases



  • Role-based training using real-life case scenarios
  • Test-your-knowledge exercises with remediation
  • Post-course test to document staff participation


Other HIPAA Resources

  • Hot-topic audio conferences
  • Books on privacy and security
  • Newsletters
  • e-Newsletter
  • Videos



MGH to pay $1 million to settle ‘potential’ HIPAA violation

Email This Post Print This Post

By Cheryl Clark, for HealthLeaders Media

Massachusetts General Hospital has agreed to pay $1 million to settle allegations it violated patient privacy laws when a hospital employee lost protected patient medical information on a subway in March, 2009, federal and hospital officials announced Thursday.

The loss was said to be a “potential violation” of HIPAA, according to HHS. Mass General signed a “resolution agreement” that requires it to develop and implement a comprehensive set of policies and procedures to safeguard patient privacy.

In a statement, MGH privacy officer Deborah Adair said the hospital will issue new or revised policies and procedures with respect to physical removal and transport of PHI from hospital premises, laptop encryption, and USB drive encryption.

“After these policies and procedures are issued, we will be providing mandatory training on them,” and all members of the workforce will have to complete that training, she said.

Georgina Verdugo, director of OCR, said “We hope the healthcare industry will take a close look at this agreement and recognize that OCR is serious about HIPAA enforcement. It is a covered entity’s responsibility to protect its patients’ health information.”

According to an HHS statement, the incident involved PHI for 192 patients treated by the hospital’s Infectious Disease Associates outpatient practice, and included patients with HIV/AIDS. An investigation ensued after a patient whose records were lost on March 9 filed a complaint. Billing encounter forms containing the name, date of birth, medical record number, health insurer and policy number, diagnosis, and names of providers for 66 of those patients.

The documents were lost when a Mass General employee, while commuting to work, left the documents on the subway. The records have not been recovered.

That investigation “indicated that Mass General failed to implement reasonable, appropriate safeguards to protect the privacy of protected health information when removed from Mass General’s premises and impermissibly disclosed protected health information potentially violating provisions of the HIPAA Privacy Rule,” the HHS statement said.

The correction plan also directs the hospital’s Director of Internal Audit Services of Partners HealthCare System Inc. to serve as an internal monitor that will conduct assessments of Mass General’s compliance with the corrective action plan and render semi-annual reports to HHS for a 3-year period.”

Leave a Reply