HIPAA Settlement with South Shore Hospital Confirmed by Attorney General’s Office

by | May 29, 2012

An official announcement has been released by the Office of the Massachusetts Attorney General that a settlement has now been agreed with South Shore Hospital.

The healthcare supplier will have to pay a fine of $750,000 for violations of the state Consumer Protection Act (Massachusetts General Law Chapter 93A) and also breaching the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

The settlement was agreed for the accidental exposure of Protected Health Information and for failing to securely delete ePHI. The violation heppening when three backup tapes storing unencrypted ePHI were accidentally sent to a data archiving company to be deleted and resold; however that company was not made aware of the contents of the tapes. Two of those tapes were then lost and have not been located.

The Attorney General’s investigation showed that a number of mistakes had been made by the hospital. The hospital had did not obtain a signed business agreement and did not find whether its choice of data company complied with HIPAA regulations.

The passing of the Health Information Technology for Economic and Clinical Health (HITECH) Act in 2009 allowed Attorney Generals more power to take action against organizations that breach data privacy and security laws. New powers were given to help the Office for Civil Rights with the policing of HIPAA regulations. However, not all State Attorney Generals’ Offices have been quick to apply these. Only Vermont and Connecticut, and now Massachusetts, have so far taken legal action against healthcare organizations that haveviolated HIPAA regulations.

The latest lawsuit is only the third to be submittedd, even though State Attorney Generals Offices receive a share of the settlements issued. To date, the HHS has supported this extra policing of HIPAA and has even provided computer based training and it also provided support in the lawsuit filed by Connecticut AG.

Healthcare suppliers, health plans and business associates should take notice of these three lawsuits which could now be seen by Attorney General’s Offices nationwide as a way of both increasing funding and showing that data privacy and security is treated with the utmost seriousness in their state.

The chance of AG lawsuits and a higher number of audits by the Office for Civil Rights mean that healthcare organizations must ensure data privacy and security policies are current, that business agreements exist for all associates and a proactive stance is taken to improve data privacy and safety. Lapses and non-compliance issues can prove to be very expensive.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy