In a uniquely timed second showing of enforcement authority, the Department of Health and Human Services (HHS) announced on February 24, 2011 a one million dollar settlement with a Massachusetts hospital that allegedly breached patient data. This settlement announcement comes only days after HHS announced a 4.3 million dollar HIPAA Privacy Rule fine. The Massachusetts hospital settlement resulted from a hospital employee who took home documents containing sensitive personal information on patients. The employee then lost those documents while commuting to work.
While the settlement did not include an admission of liability, in addition to the monetary settlement, and submitting to HHS oversight, the hospital must also adopt more stringent privacy practices and retain an independent security and privacy monitor. The investigation of the incident found the hospital failed to implement reasonable and appropriate standards to protect the privacy of patient information removed from the facility. Under the settlement, the hospital must present new privacy and data security administrative, physical, and technical safeguards policies and procedures for HHS approval. Specifically, these policies and procedures must address the physical removal and transportation of protected health information and encryption of portable storage devices. Despite a general prohibition on employees physically removing protected health information from the hospital, HHS permitted an exception when the information is removed by an employee to perform his or her job duties. Additionally, the hospital must implement training for all employees.
This settlement, when considered with the 4.3 million dollar fine, likely signals how HHS will approach future enforcement actions. In light of this, covered entities must seriously examine their privacy and security obligations, including implementing appropriate policies and procedures regarding the safeguarding of information.