Guarding Patient's Personal Information - You're The Sentry

Author:Mr Neil Nicholson
Profession:The McLane Law Firm

Originally published in June 2012.

Last month, a Massachusetts hospital agreed to pay $750,000 for failing to properly safeguard the personal and confidential health information of more than 800,000 individuals. The settlement reached between the Massachusetts Attorney General's Office and South Shore Hospital involved an improper disclosure of individuals' names, Social Security numbers, financial account numbers and medical diagnoses by the hospital. It is a cogent reminder that data security programs must be more than another written policy sleeping in a filing cabinet. This is the story. Two years ago, the hospital retained a third-party service provider to erase unencrypted back-up tapes that contained the personal information and protected health information of over 800,000 individuals. The hospital did two things wrong when it transferred the tapes to the vendor. First, it did not notify the third-party service provider that the tapes contained this protected and confidential information. Second, the hospital did not verify that the third-party service provider had adequate safeguards in place to protect the sensitive information. The hospital later learned that two of the three boxes containing the back-up tapes - and personal information - were missing. The hospital conducted an investigation and concluded that the back-up tapes were likely disposed of in a secure commercial landfill and were therefore unrecoverable. Even now, there have been no reports of unauthorized use of this personal information or protected health information. Despite the fact that no patient or individual actually reported suffering harm, the Massachusetts Attorneys General Office brought an action against the hospital for violating the Health Information Technology for Economic and Clinical Health Act ("HITECH" Act) and the Massachusetts data security regulations (201 CMR 17.00). The HITECH Act allows state Attorneys General to bring civil actions on behalf of state residents for violations of the Health Insurance Portability and Accountability Act ("HIPAA"). The Massachusetts data security regulations took effect in March, 2010, and among other things, require every...

To continue reading