OCR issues one of the largest HIPAA fines of 2019 following multiple violations by Jackson Health
The Office for Civil Rights (OCR) announced it is imposing a $2.15 million civil money penalty against Jackson Health System following years of HIPAA violations. The penalty is one of the biggest HIPAA fines issued by the OCR this year and comes in response to multiple serious violations by the Miami-based medical system.
Among those was an incident in 2015 in which a well-known NFL player’s protected health information (PHI) was shared with an ESPN reporter and featured in multiple other media reports. The reporter shared a photo of an operating room display board and a paper schedule containing the player’s PHI.
In February 2016, less than a year after the incident with the NFL player, Jackson Health reported to the OCR that it discovered an employee had been selling patient information for approximately five years. This employee inappropriately accessed nearly 25,000 patient records during that time.
Another violation covered by the penalty dates back to 2013, when Jackson Health submitted a breach report to the OCR in August stating it had lost paper records containing PHI of more than 750 patients in January 2013. The health system’s internal investigation subsequently revealed it lost multiple boxes of patient records affecting 1,436 patients back in December 2012, but Jackson Health did not report this to the OCR until June 2016, well beyond the 60-day mandatory reporting period for this type of breach.
"OCR's investigation revealed a HIPAA compliance program that had been in disarray for a number of years," said OCR Director Roger Severino in the press release. "This hospital system's compliance program failed to detect and stop an employee who stole and sold thousands of patient records, lost patient files without notifying OCR as required by law, and failed to properly secure PHI that was leaked to the media."
In addition to the breaches, the OCR stated that, prior to 2017, Jackson Health erroneously claimed several provisions of HIPAA were not applicable to the health system, according to the OCR Notice of Proposed Determination. It also failed to conduct appropriate risk analyses, implement sufficient security measures, or remediate threats/vulnerabilities identified by multiple risk analyses.