While Massachusetts General Hospital got socked with a $1 million HIPAA penalty when an employee left 192 patient records in the open on a subway seat, the penalty is perhaps not the worst of the consequences.
MASS General also was required to sign a Corrective Action Plan that will have the Office of Civil Rights tightly monitoring every move at the facility for HIPAA compliance. The conditions include:
- Three (3) years of reporting requirements to OCR
- Adoption of new policies and procedures which meet OCR approval
- Unannounced site inspections
- OCR interviews with MGH workforce members who work with PHI
- OCR interviews with staff working with the corrections
- Inspection of laptops, USB drives, and other equipment used for PHI
- Monitoring training, implementation, and enforcement
- Semi-annual reports
- Self-reporting of violations
- 120 day status report on the CAP