Yesterday,Massachusetts General Hospital settled a HIPPA violation investigation with HHS (U.S. Health and Human Services) and OCR (Office of Civil Rights) for a 2009 incident where an employee left "documents consisting of a patient schedule containing names and medical record numbers for a group of 192 patients, and billing encounter forms containing the name, date of birth, medical record number, health insurer and policy number, diagnosis and name of providers for 66 of those patients. These documents were lost on March 9, 2009, when a Mass General employee, while commuting to work, left the documents on the subway train that were never recovered." Besides the $1 million fine, they have entered into a Corrective Action Plan which includes:
•Develop and implement a comprehensive set of policies and procedures that ensure PHI is protected when removed from Mass General’s premises;
•Train workforce members on these policies and procedures; and
•Designate the Director of Internal Audit Services of Partners HealthCare System Inc. to serve as an internal monitor who will conduct assessments of Mass General’s compliance with the CAP and render semi-annual reports to HHS for a 3-year period.
If you look on the U.S. HHS website, it is written in plain English-under the consumer section with the heading What Information is protected:
•Information your doctors, nurses, and other health care providers put in your medical record
•Conversations your doctor has about your care or treatment with nurses and others
•Information about you in your health insurer’s computer system
•Billing information about you at your clinic
•Most other health information about you held by those who must follow these laws
Apparently, we are to believe that Mass General did not have a policy/procedure for PHI(Personal Health Information) that covers leaving the premises and therefore a corrective action plan has been ordered to create one, educate the staff, and then have that policy monitored for adherence.
Should you be concerned? In one word: YES. If a large hospital can be missing such an important policy what do you think is happening each and every day with the information on YOU.
Maybe health care providers need to look to the TSA for tips on making sure our PHI is safely kept. They already have the scanners, and if you need followup care I'm sure they would happy to provide it.