HIPAA Fine Violation Spotlight

HIPAA Fines Charged For Security and Privacy Rule Violation

Lost boxes of paper records, protected health information (PHI) leaked on social media, and an employee caught selling patient’s PHI are just the beginning of the issues found with Jackson Health System (JHS), a nonprofit academic medical system based in Miami, Florida. The Office for Civil Rights (OCR) recently imposed a civil money penalty of $2,154,000 against JHS for violations of the HIPAA Security and Breach Notification Rules between 2013 and 2016.

This began with a properly submitted breach report. In August of 2013, JHS reported that it had lost paper records containing the PHI of 756 patients. Their own internal investigation went on to determine that three additional boxes of paper records had been lost. However, JHS failed to report this discovery, or notify OCR that the number of patients affected increased to 1,436 – until June 7, 2016, during the OCR’s investigation.

In July of 2015, a media report featured a photo of a JHS operating room, in which a patient’s medical data could be read from a screen. As OCR investigated, JHS determined that two employees impermissibly accessed the exposed patient’s medical record.

The most egregious offense was revealed in February 2016, when JHS reported that an employee had been selling patient PHI. Though no number of sales was reported, this employee had inappropriately accessed over 24,000 patient records since 2011.

The subsequent OCR investigation concluded that JHS had failed to conduct risk analyses, manage identified risks to a reasonable level, regularly review log reports, or restrict workforce member’s access to patient ePHI to the minimum necessary to accomplish their job duties.

"OCR's investigation revealed a HIPAA compliance program that had been in disarray for a number of years," said OCR Director Roger Severino. "This hospital system's compliance program failed to detect and stop an employee who stole and sold thousands of patient records; lost patient files without notifying OCR as required by law; and failed to properly secure PHI that was leaked to the media."