On December 13, 2010, the U.S. Department of Health & Human Services (HHS) entered into a Resolution Agreement with Management Services Organization Washington, Inc. (MSO), to settle potential violations of the Health Information Portability and Accountability Act Privacy and Security Rules. This settlement arose from and was made in coordination with the HHS Office of the Inspector General and the U.S. Department of Justice, which had been investigating MSO for violations of the Federal False Claims Act.
In the agreement, MSO agrees to pay $35,000 and implement a detailed Corrective Action Plan (CAP) to ensure that it will appropriately safeguard identifiable electronic patient information against impermissible use or disclosure. The CAP includes requirements for MSO to develop, maintain, and revise its policies and procedures and to appropriately train its workforce on these policies and procedures. HHS will monitor MSO’s compliance with the terms of the CAP and the Privacy and Security Rules for two years.
The Resolution Agreement and CAP relate to MSO’s disclosure of electronic protected health information to Washington Practice Management, LLC, owned by MSO, which used the information for marketing purposes. An HHS investigation showed that MSO intentionally did not have in place or implement appropriate and reasonable administrative, technical, and physical safeguards to protect the privacy of the protected health information.