MGH records lost on T include patient's HIV status

Talk about a bitter pill. Last week a South Boston man received a call from his doctor at Massachusetts General Hospital's (MGH) Infectious Disease Associates, where he receives treatment for HIV. The doctor informed Jacob, who asked that his last name be withheld to protect his medical privacy, that a billing ticket from his last visit to the clinic was one of a bundle of about nine slips that had been misplaced by a billing manager on the Red Line train on March 9. The ticket included Jacob's name, his Social Security number, and information about his treatment for HIV, among other personal information.

An MGH security report on the incident that Jacob provided to Bay Windows, states that a billing manager had taken about 40-50 such billing tickets home to work over the prior weekend, and then misplaced them on the subway on her way to work that day during the morning rush hour. The report states that the billing tickets "are 8x12 sheets of paper that contained patients names and their specific infectious disease diagnosis," and that they were secured by a rubber band.

MGH notified Jacob by mail about the loss of the billing tickets, outlining his right to file a police report and to place a security freeze on his credit reports, and offering him a free one-year membership in a credit report monitoring service to guard against identity theft. But more than the potential for identity theft, Jacob said he was upset to learn that records with his HIV status and other personal information had been taken out of the clinic and carelessly left on the subway.

"I was really angry at first because I thought everything in the hospital was supposed to be electronic and things wouldn't get lost, and to find out someone took their work home, private information wasn't supposed to be taken home, ... to find out it was left on the subway, that wasn't cool. It wasn't secure. It wasn't in a briefcase. It was secured in a rubber band," said Jacob.

He said he is open about his HIV status to family members and close friends, but added, "It's not something I want out there in public."

Jacob said he has no plans to take legal action against MGH. He credited the doctors and nurses at Infectious Disease Associates with "saving [his] life."

"I wasn't doing too good before I went there, and now, knock on wood, I'm undetectable. ... I think it's the best HIV clinic in the state, exceptional care. My doctors and nurses go out of their way to help as much as they can, [and they have] very good bedside manners," said Jacob. He said clinic administrators told him the billing manager who lost the tickets was disciplined, but he does not know what that discipline entails.

Emily Parker, a spokesperson for MGH, provided Bay Windows with a statement on the incident from Deborah Adair, MGH's director of health information services and privacy officer. The statement explains that there were actually more records misplaced on the Red Line than originally detailed in the MGH security report.

"On March 9, 2009, sixty-six MGH patients were affected by an incident involving the loss of some of their personal and medical information. In accordance with MGH practice and Massachusetts state law, each patient was immediately alerted, and the situation was reported to the appropriate authorities," wrote Adair. "MGH Police and Security are thoroughly investigating this matter not only with an eye toward recovering the missing information but also toward making sure that this will not happen again. Our information privacy and security policies and procedures are among the strongest in the health care industry, but incidents such as this remind us that we must continue to review and revise them, as well as continue to educate our staff on best practices to avoid incidents such as this. We sincerely regret that this event occurred. The MGH is highly committed to safeguarding the privacy and security of each patient's protected health information."

It is unclear whether the billing manager's removal of the billing tickets from the hospital was in accordance with hospital regulations or whether she violated MGH policy by bringing them home. Jacob said an administrator at the clinic told him the records should not have left the clinic.

MGH declined to disclose what sort of corrective action, if any, the billing manager faced.

"For reasons of confidentiality, MGH does not provide information about specific corrective action faced by employees. The fact that the underlying issue was related to the misplacement of confidential patient information does not change that stand. Any employee who, whether by accident or otherwise, breaches policies or procedures of MGH that are designed to protect patient confidentiality will face appropriate corrective action, which can include verbal counseling, written warning, suspension or termination, depending on the seriousness and cause of the breach," said Parker in a statement to Bay Windows. "In this case, all indications are that the incident was an unfortunate accident with serious consequences, and MGH has taken into account all of the circumstances in determining an appropriate level of corrective action that the employee is facing; the employee understands the seriousness of the situation. MGH takes confidentiality of patient information, as well as employee information, very seriously, and it would be unfortunate to compound the impact of this incident with a breach of this employee's confidential information."

Spokespeople for two other local hospital systems said that it was not standard practice for staff to bring hard copies of patient records out of their facilities. Teresa Prego, a spokesperson for Caritas Christi Health Care, said staff is prohibited from removing patient records from the hospital. Caritas Christi is a network of hospitals including Carney Hospital in Dorchester, St. Elizabeth's Medical Center in Brighton, Holy Family Hospital in Methuen, Good Samaritan Medical Center in Brockton, Norwood Hospital in Norwood, and St. Anne's Hospital in Fall River.

"Any materials containing confidential patient information do not leave the premises," said Prego. She said staff working on billing could log into the Caritas Christi billing records system online, allowing them to bring work home without carrying hard copies of billing records off-site.

Meg Aranow, a spokesperson for Boston Medical Center, sent Bay Windows a statement explaining that the hospital uses an electronic medical record system.

"Boston Medical Center has implemented electronic medical record systems based on secure technologies. These systems allow fast, secure access to patient information and have reduced our reliance on paper records," wrote Aranow. "BMC continuously reviews its confidentiality and security policies to ensure we are providing our patients the best protections possible."

Bay Windows followed up with BMC spokesperson Michelle Roberts to ask if there were any specific policies around the removal of patient records from the hospital, and she reiterated that the hospital uses an electronic, not a paper system.

Denise McWilliams, AIDS Action Committee's (AAC) director of legal affairs, said that given the financial incentives placed on the healthcare industry she was not surprised at the lost billing records.

"Sadly I wish I could say I'm shocked, but I'm not. The reality is there's no guarantee that information is going to be held confidentially. ... And I think part of the problem is there is not sufficient attention paid to, how do we safeguard things?" said McWilliams. "There really is no financial incentive to protect people's privacy, whereas there is financial incentive to have people take their work home to crank out more billing, there is financial incentive to do more billing, so all of the incentives go to the other side."

She said it is routine for personal health information to be included on administrative documents like billing forms because health care providers regularly transmit information about patient treatment procedures to insurance companies to get reimbursed.

"It's totally routine because this is how hospital and providers get reimbursed. ... In exchange what's lost is the confidentiality of the person," said McWilliams. To prevent such incidents from happening, she said, providers must prioritize maintaining the confidentiality of patient medical information, appointing privacy officers to take charge of such efforts. She added that providers must also ensure that staff who process billing records and other forms with patient information have enough resources to complete their job on site.

"Do people have the adequate time and resources to do their job without having to take steps like this that jeopardize the security of the information?" said McWilliams.

Whether MGH will face any legal fallout from the loss of the patient records remains to be seen. Harry Pierre, a spokesman for Attorney General Martha Coakley's office, said MGH reported the lost records to Coakley's office, as is required under state law. Pierre declined to comment on the possibility of Coakley taking legal action against MGH.

"At this time the company appears to be taking appropriate steps to notify consumers," said Pierre.

While Jacob does not plan to take action against the hospital, McWilliams said patients whose billing tickets were lost on the Red Line could potentially file suit against MGH under the state's privacy statute, which says that a "person shall have a right against unreasonable, substantial or serious interference with his privacy." The statute gives the state superior court the jurisdiction to hear such cases and to award damages, the magnitude of which McWilliams said would depend on the severity of the confidentiality breach and the consequences to the victim.

"What that does is it prohibits the unreasonable or significant interference with anybody's right to privacy, and that seems like what you're looking at here. Clearly this is confidential information, and it was let out for public view," said McWilliams.

She said patients like Jacob whose HIV status was included in the lost billing tickets might also be able to sue under the state's HIV confidentiality statute, although winning such a claim could be difficult because the law protects the confidentiality of HIV test results, not information about HIV treatment. McWilliams said patients might have less luck filing a federal complaint under the federal Health Insurance Portability and Accountability Act of 1996 (HIPAA), which requires medical providers to maintain the confidentiality of patient records, because the federal law has a range of exceptions that make it far weaker than the state privacy laws.

Jacob said he hopes the incident persuades MGH to take greater precautions to maintain patient confidentiality.

"I still feel that the girl should be reprimanded for what she did, which I was told she was, and I think the hospital needs to be retrained on HIPAA and keeping people's personal information personal," said Jacob.