Two days after imposing the first-ever civil money penalty for HIPAA violations, the Office for Civil Rights (OCR) within the Department of Health and Human Services (HHS) announced that Massachusetts General Hospital (Mass General) has agreed to pay $1 million to settle potential violations of the HIPAA Privacy Rule.

OCR initiated an investigation of Mass General after receiving a complaint from a patient whose protected health information (PHI) was lost.  The investigation revealed that, on March 9, 2009, a Mass General employee left documents on a train during her morning commute that contained PHI—including name, date of birth, and diagnosis—of 192 patients of an outpatient practice, including patients with HIV/AIDS.  Based on these findings, OCR concluded that Mass General had failed to implement reasonable and appropriate safeguards to protect PHI when removed from the premises, and potentially had impermissibly disclosed PHI in violation of the Privacy Rule. 

In a Resolution Agreement with HHS, Mass General agreed to pay $1 million and enter into a Corrective Action Plan to implement policies and procedures to protect the privacy of its patients.  This latest announcement is further evidence that the agency is gearing up to flex its enforcement muscles.  It will be interesting to see if the recent enforcement actions are the first in a long string of actions that HHS announces over the next few weeks.