Mass. Hospital Pays $750k in Fines to Settle Breach Lawsuit
By Mark Swearingen, Hall Render Blog
Posted June 1, 2012
State attorneys general are beginning to focus their attention on health care privacy laws under the authority granted to them by the Health Information Technology for Economic and Clinical Health Act (“HITECH”) and state consumer laws. On May 24, 2012, Massachusetts Attorney General Martha Coakley announced the filing of a final judgment with a licensed Massachusetts hospital (the “Hospital”), arising from violations of the Privacy and Security Rules under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). This is the third lawsuit and the largest settlement to date initiated by a state attorney general under HITECH for HIPAA violations.
This action arose out of the Hospital’s report to the Attorney General that a breach had occurred in July 2010. That breach arose when the Hospital sought to erase 473 unencrypted data tapes containing information on 800,000 individuals. The Hospital shipped the tapes to a Texas subcontractor in three boxes, but only one of the boxes arrived. Upon investigation, the Attorney General alleged that the Hospital had failed to adequately implement appropriate safeguards, policies and procedures to protect consumer information. In particular, the state found that the Hospital failed in its HIPAA compliance in the following ways:
- The Hospital did not implement appropriate safeguards, policies and procedures to protect consumer information.
- The Hospital did not execute an adequate business associate agreement with the data destruction contractor.
- The Hospital did not inform the data destruction contractor that the tapes contained protected health information (“PHI”).