Last week, Massachusetts General Hospital agreed to a $1,000,000 settlement for potential Health Insurance Portability & Accountability Act (HIPAA) violations. In addition to the financial penalty, the ruling requires that Mass General develop and implement a comprehensive set of policies and procedures to protect the privacy of its patients. This ruling came after the health and other information of 192 patients was lost when left by an employee on a MBTA subway. HIPAA law requires that health plans, health care clearinghouses and most healthcare providers protect the privacy of their patients.
While HIPAA requires the protection of health information, it is not dissimilar to the MA Security Data Breach Law which requires the protection of personal information for all MA residents. While this settlement was due to a HIPAA violation, it shows that such violations are going to be taken seriously and penalties will be high. The ruling requires Mass General to develop a set of policies to protect health information, while the MA Security Data Breach law requires all MA employers to have a written Data Security Plan in place and to train employees on the proper protection of private information. The two statutes seem to be drawing parallels and employers are urged to be compliant in their efforts to protect not only health information, but personal information.