$1 million object lesson in compliance and data protection

Mass. General Hospital fined for leaving HIV patient records on the subway

No one likes regulatory compliance programs. They're a pain. They detract from "real" work. They're expensive.

Non-compliance, even for those who think their compliance programs are up to speed, is three times more expensive than compliance, however.

The U.S. Dept. of Health and Human Services announced that Boston's Massachusetts General Hospital (MGH) has agreed to pay a fine of $1 million to settle potential violations resulting from a 2009 incident in which an MGH employee left records of 192 patients – many of them HIV positive – on a Red Line subway train.

On March 9, 2009, according to a complaint filed by one of the patients whose records were lost, an MGH employee left the hospital with a stack of patient files so she could work on them at home.

Returning to work on a Red Line, the woman put the rubber-bound stack of papers on the seat beside her, where they remained until sometime after she forgot about them and left the train.

The records, which included many in various stages of HIV or AIDS treatment at Mass General's Infectious Disease Associates outpatient practice, were never recovered.

MGH – a Harvard Medical School teaching hospital whose programs on patient privacy predate HIPAA by so long that the signs in elevators reminding employees not to gossip about private patient information look ancient and are sometimes cracked – admitted no legal culpability in the settlement.

It did agree to follow a Corrective Action Plan (CAP) designed to tighten security and compliance – and maintain it for three years.

The CAP requires MGH to create and put into practice a whole new, even tighter set of policies and procedures to make sure private data is protected when and if it leaves the hospital.

It also has to train, retrain or overtrain employees on the new procedures, even though it has had data-privacy policies and training programs in place for years and already requires relevant employees to be trained.

The lost records were on paper, not in digital form, which probably made them more vulnerable. You can lose a laptop almost as easily as you can a stack of papers, but paper records can't be encrypted or password-protected.

A potentially bigger problem, at least for the IT staff responsible for compliance and security, is that losing paper records over which they had no control and probably no knowledge will force the hospital's parent company to appoint a director of Internal Audit Services whose job it will be to continually assess MGH's compliance with the CAP.

That's going to require a revamp of compliance and records-security procedures, or at least to document what the IT crew is already doing.

Just that, not to mention training hundreds or thousands of employees in new procedures, may very well cost MGH a lot more than the $1 million it has to pay in fines – not to mention the cost of any potential litigation or settlement with patients whose records were lost.

A lot of the implementation cost is going to fall on IT, even though it had nothing to do with the security breach, and may never have any ability to control what employees do with paper records.

Neither the fine nor the cost of follow-up is going to sink MGH or its giant parent company Partners HealthCare System, Inc.

It should scare a lot of other organizations, though – whether they're in the healthcare business or not.

There are plenty of regulations to threaten anyone not paying enough attention, though surveys show compliance is eating up so much of security budgets it often doesn't leave enough for proper security.

Not spending on compliance costs even more, however.

Pick your favorite: HIPAA, Sarbanes-Oxley, Gramm-Leach Bliley, FDA 21 digital records and signatures rules, the Fair and Accurate Credit Transactions Act, the Foreign Corrupt Practices Act, import/export rules, the Multiple-Deliverable Revenue Arrangements accounting rules...

No matter which keep you up at night, or how well you have them covered, digitally at least, every one of them can come back to bite you in the form of even one employee dedicated and hardworking enough to take records home, and just as forgetful as all of us are during the morning commute back in.

$1 million is a lot to pay for someone else's grogginess during the morning commute, especially if the repercussions will hit you, even though there's currently nothing you can do to make sure sensitive paper doesn't go missing in the subway.

Kevin Fogarty writes about enterprise IT for ITworld. Follow him on Twitter @KevinFogarty.

ITWorld DealPost: The best in tech deals and discounts.
Shop Tech Products at Amazon