Jackson Health System Pays $2.15 Million in HIPAA Fines
An investigation revealed three separate HIPAA violations, including an employee accessing and selling more than 24,000 patients’ records.
The Office for Civil Rights (OCR) fined a Miami-based academic health system for violating the Health Insurance Portability and Accountability Act (HIPAA).
Jackson Health System (JHS) paid $2.15 million after an investigation revealed three separate HIPAA violations since 2013, reports Modern Healthcare.
“OCR’s investigation revealed a HIPAA compliance program that had been in disarray for a number of years,” said OCR Director Roger Severino. “This hospital system’s compliance program failed to detect and stop an employee who stole and sold thousands of patient records; lost patient files without notifying OCR as required by law; and failed to properly secure PHI [protected health information] that was leaked to the media.”
In Aug. 2013, JHS submitted a breach report to OCR stating its Health Information Management Department had lost paper records containing the PHI of 756 patients in Jan. 2013.
An internal investigation determined an additional three boxes of patients’ records were also lost in Dec. 2012 but the system did not report it until June 2016, according to a press release.
In July 2015, a media reporter shared a photograph on social media of a JHS operating room screen containing a patient’s medical information. An investigation later determined two employees accessed that patient’s electronic medical record without a job-related reason.
In Feb. 2016, JHS reported to the OCR that an employee had been inappropriately accessing and selling more than 24,000 patients’ records beginning in 2011.
Overall, OCR’s investigation revealed JHS failed to provide timely and accurate breach notification to the U.S. Department of Health and Human Services (HHS), conduct system-wide risk analyses and appropriately restrict employees’ access to patient data, among other things.
JHS said it has taken steps to upgrade its software, procedures and staff training related to patient privacy. It also waived its right to a hearing and did not contest the OCR’s findings.
The system operates six major hospitals, a network of urgent care centers, multiple primary care and specialty care centers, long-term care nursing facilities, and corrections health services clinics.