Potential HIPAA Violation Leads to $750,000 Settlement

The Attorney General for the Commonwealth of Massachusetts reached an agreement with South Shore Hospital over claims the hospital failed to protect confidential health information for hundreds of thousands of consumers. The Attorney General filed the lawsuit under both state information security laws and the federal Health Insurance Portability and Accountability Act (HIPAA).

The problem arose when the hospital shipped three boxes containing more than 400 unencrypted back-up tapes to an off-site vendor. The hospital had contracted with the vendor to erase the tapes and resell them. The tapes contained significant amounts of confidential information such as patients’ names, Social Security numbers, bank account numbers and medical diagnoses. Only one of the three boxes arrived at its intended destination.

While there is no evidence the information contained on the missing tapes has been used improperly, the hospital failed to determine whether the off-site vendor had sufficient safeguards in place to protect the confidential information. In addition, the hospital failed to enter into a business associate agreement with the vendor as it was required to do under HIPAA before disclosing patient information to the vendor.

The consent judgment includes a $250,000 civil penalty and a payment of $225,000 for an education fund to be used by the Attorney General’s Office to promote education concerning the protection of personal information and protected health information. The hospital has also taken numerous steps to improve its data security protocols and was credited $275,000 for doing so as part of the consent judgment. These steps include training for all employees on how to handle confidential information, upgrading security systems, and destroying sensitive information onsite instead of sending to a vendor.

The settlement is a good reminder of the fact that many different security laws – state provisions and federal laws like HIPAA – provide detailed mandates on healthcare employers’ handling of patient data and information. The settlement also highlights the need for healthcare providers to exercise due diligence when selecting vendors and to enter into a business associate agreement with vendors that receive protected health information from the provider to perform services on the provider’s behalf.

Photo credit: hoch2wo photo & design

Information contained in this publication is intended for informational purposes only and does not constitute legal advice or opinion, nor is it a substitute for the professional judgment of an attorney.