In the second major HIPAA enforcement agency announced by federal authorities this week, Massachusetts General Hospital and its physicians organization have entered into a resolution agreement that calls for paying a $1 million settlement and taking corrective action to avoid future violations. The case involved the loss of documents that included information on patients with HIV/AIDS.

Earlier this week, the Department of Health and Human Services announced a $4.3 million civil monetary penalty against Cignet Health. That case apparently included a heftier financial penalty because it did not involve a negotiated resolution agreement.

With the two announcements of penalties for HIPAA privacy rule violations, HHS' Office for Civil Rights appears to be giving strong signals that its long-promised plans to ramp up enforcement efforts are now a reality. "We hope the health care industry will take a close look at this agreement and recognize that OCR is serious about HIPAA enforcement," said OCR Director Georgina Verdugo.

The resolution agreement with Massachusetts General stems from the loss of scheduling documents for 192 patients in the hospital's General Infectious Disease Associates outpatient practice, including those with HIV/AIDS. OCR initiated its investigation when a patient whose information was lost filed a complaint.

The patient encounter billing forms and schedules were lost on March 9, 2009, when a hospital employee, while commuting to work, left them on a subway train. They included such information as names, medical records numbers, insurance information and diagnoses.

The corrective action plan calls for Massachusetts General to: 
     *Develop and implement a comprehensive set of policies and procedures that ensure patient information is protected when removed from the hospital; 
     *Train staff members on these policies and procedures; 
     *Designate the director of internal audit services of Partners Healthcare System, the hospital's parent company, to serve as an internal monitor who will conduct assessments of the hospital's compliance with the corrective action plan and submit semi-annual reports to HHS for three years.

In a statement, Massachusetts General said that in addition to the new policies and procedures, it would also take the extra security steps of encrypting laptops and USB drives.