OCR Strikes Again: Mass General Pays $1 Million to Settle HIPAA Violations
On the heels of the Cignet Health civil monetary penalty for $4.3 million only two days ago, the OCR has announced today that Mass General, one of the country's oldest and largest hospitals, has agreed to pay HHS $1 million to settle potential HIPAA violations. The incident leading to this settlement involved an employee who brought documents on the subway with her, as she intended to work on them at home. Unfortunately for Mass General, those documents contained PHI of 192 individuals and the employee accidentallty left the documents on the subway. In addition to the million dollar payment, Mass General also agreed to enter into a Corrective Action Plan, which requires the hospital to develop additional privacy policies and procedures, ensure that employees complete additional HIPAA training, and provide HHS with semi-annual reports for the next three years. The settlement agreement and Corrective Action Plan are available here.
