- UMass Memorial healthcare entities have agreed to pay $230,000 to the state of Massachusetts to resolve claims that two separate healthcare data breaches exposed PHI of more than 15,000 state residents.
The lawsuit by the Massachusetts Attorney General (AG) alleged that healthcare facilities received complaints about two employees accessing patients PHI to open cell phone and credit card accounts. However, the they did not investigate the complaints, discipline the employees involved in a timely manner, or take other steps to safeguard the information.
The data breaches exposed patient information including names, addresses, Social Security numbers, clinical information, and health insurance information.
The AG alleged that UMass Memorial medical entities violated HIPAA, the Consumer Protection Act, and the Massachusetts Data Security Law when they failed to properly protect patients’ information.
“Massachusetts residents rely on their healthcare providers to keep private health information safe and secure,” said Massachusetts AG Maura Healey in a Sept. 20 statement. “This resolution ensures UMass Memorial implements important measures to prevent this type of breach from happening again.”
The entities have also agreed to conduct employee background checks and ensure proper employee discipline, train employees on the proper handling of patient information, limit employee access to patient information, identify and remediate potential data security issues, and promptly investigate suspected improper access to patient information.
They will have to hire a third-party firm to conduct a review of their data security policies and procedures, which they will provide to the AG.
Rough Week for Massachusetts Healthcare
Last week was a rough month for Massachusetts hospitals and physicians in terms of HIPAA violation news. On Sept 20, OCR announced HIPAA fines totally close to $1 million against three Boston-area hospitals for failing to protect patient privacy during the filming of ABC’s TV show “Boston Med.”
Boston Medical Center (BMC), Brigham and Women's Hospital (BWH), and Massachusetts General Hospital (MGH) were fined for compromising patient privacy when they invited the “Boston Med” film crews on premises without first obtaining authorization from patients.
“Patients in hospitals expect to encounter doctors and nurses when getting treatment, not film crews recording them at their most private and vulnerable moments,” said OCR Director Roger Severino. “Hospitals must get authorization from patients before allowing strangers to have access to patients and their medical information.”
BMC paid $100,000, BWH paid $384,000, and MGH ponied up a hefty $515,000. Each hospital has agreed to provide workforce training as part of a corrective action plan that will include OCR’s guidance on disclosures to film and media.
According to the OCR guidance: “Health care providers cannot invite or allow media personnel, including film crews, into treatment or other areas of their facilities where patients’ PHI will be accessible in written, electronic, oral, or other visual or audio form, or otherwise make PHI accessible to the media, without prior written authorization from each individual who is or will be in the area or whose PHI otherwise will be accessible to the media.”
On Sept. 19, Rita Luthra, a Springfield, MA-based gynecologist, was sentenced to one-year probation for a criminal HIPAA violation and obstruction of a criminal healthcare investigation.
A jury convicted her in April of allowing a pharmaceutical sales representative to access patient records and lying to federal investigators.US District Judge Mark G. Mastroianni denied a motion by Luthra’s attorney to reverse the conviction the following month.
Federal prosecutors were seeking a prison sentence of two years and a fine of $40,000, according to a report on MassLive.com.
Judge Mastroianni opted for leniency because of Luthra’s work in Springfield’s impoverished North End, the report noted. He even rejected the defense’s argument that Luthra should perform community service instead of serving jail time.
“I don't believe from what I know of Dr. Luthra she needs the court to tell her about that,” the report quoted the judge as saying. “Her loss of license and ability to practice is a substantial deterrent,” he said in his ruling.