February 25, 2011, 10:28 AM — No one likes regulatory compliance programs. They're a pain. They detract from "real" work. They're expensive.
Non-compliance, even for those who think their compliance programs are up to speed, is three times more expensive than compliance, however.
The U.S. Dept. of Health and Human Services announced that Boston's Massachusetts General Hospital (MGH) has agreed to pay a fine of $1 million to settle potential violations resulting from a 2009 incident in which an MGH employee left records of 192 patients – many of them HIV positive – on a Red Line subway train.
On March 9, 2009, according to a complaint filed by one of the patients whose records were lost, an MGH employee left the hospital with a stack of patient files so she could work on them at home.
Returning to work on a Red Line, the woman put the rubber-bound stack of papers on the seat beside her, where they remained until sometime after she forgot about them and left the train.
The records, which included many in various stages of HIV or AIDS treatment at Mass General's Infectious Disease Associates outpatient practice, were never recovered.
MGH – a Harvard Medical School teaching hospital whose programs on patient privacy predate HIPAA by so long that the signs in elevators reminding employees not to gossip about private patient information look ancient and are sometimes cracked – admitted no legal culpability in the settlement.
It did agree to follow a Corrective Action Plan (CAP) designed to tighten security and compliance – and maintain it for three years.
The CAP requires MGH to create and put into practice a whole new, even tighter set of policies and procedures to make sure private data is protected when and if it leaves the hospital.
It also has to train, retrain or overtrain employees on the new procedures, even though it has had data-privacy policies and training programs in place for years and already requires relevant employees to be trained.
The lost records were on paper, not in digital form, which probably made them more vulnerable. You can lose a laptop almost as easily as you can a stack of papers, but paper records can't be encrypted or password-protected.
A potentially bigger problem, at least for the IT staff responsible for compliance and security, is that losing paper records over which they had no control and probably no knowledge will force the hospital's parent company to appoint a director of Internal Audit Services whose job it will be to continually assess MGH's compliance with the CAP.