A recent Massachusetts case highlights the continued responsibility on all health care organizations to protect confidential health information. The Massachusetts Attorney General announced that South Shore Hospital agreed to a $750,000 settlement after the hospital failed to protect confidential patient health information.

The data breach occurred when the hospital shipped several boxes of unencrypted backup tapes to a third party vendor to be erased. The backup tapes contained the protected health information (PHI) of approximately 800,000 individuals, including names, Social Security numbers, financial account numbers, and medical diagnoses. Unfortunately, only one of the boxes arrived at the Texas-based vendor. The other boxes were never recovered.

As a result of the breach, the Massachusetts Attorney General sued the hospital under authority granted by Congress in the “HITECH Act” of 2009, alleging violations of both the Health Insurance Portability and Accountability Act (HIPAA) and a state consumer protection statute. The suit claimed the hospital (1) failed to implement appropriate safeguards, policies, and procedures to protect consumers’ information, (2) failed to have a “business associate agreement” with the vendor, and (3) failed to properly train its workforce to protect the privacy of health data.

As we previously discussed, health care employers can expect continued enforcement efforts from both federal and state agencies for violations of the HIPAA Privacy Rule and state consumer protection and privacy laws. In light of the high price tag for mistakes, health care organizations should review existing policies and procedures and implement the following suggestions:

• Health care organizations should implement policies and procedures to address removal of PHI from hospital premises.
• Removal of PHI should only occur when absolutely necessary, and all information taken offsite should be rigorously safeguarded and encrypted.
• Covered organizations should implement a comprehensive and well-documented HIPAA training program for all employees.
• Covered organizations should consider on-site destruction of PHI whenever possible, consistent with document retention and destruction policies, and should select vendors that will comply with HIPAA privacy and security standards.
• Obtain a business associate agreement with all vendors who handle PHI.

If you have questions about your organization’s HIPAA compliance efforts, please contact the Foster Pepper Health Care Practice Group or the Foster Pepper Employment and Labor Relations Practice Group.