Jackson Health System Pays $2.15 Million in HIPAA Fines

An investigation revealed three separate HIPAA violations, including an employee accessing and selling more than 24,000 patients’ records.

Jackson Health System Pays $2.15 Million in HIPAA Fines

The Office for Civil Rights (OCR) fined a Miami-based academic health system for violating the Health Insurance Portability and Accountability Act (HIPAA).

Jackson Health System (JHS) paid $2.15 million after an investigation revealed three separate HIPAA violations since 2013, reports Modern Healthcare.

“OCR’s investigation revealed a HIPAA compliance program that had been in disarray for a number of years,” said OCR Director Roger Severino. “This hospital system’s compliance program failed to detect and stop an employee who stole and sold thousands of patient records; lost patient files without notifying OCR as required by law; and failed to properly secure PHI [protected health information] that was leaked to the media.”

In Aug. 2013, JHS submitted a breach report to OCR stating its Health Information Management Department had lost paper records containing the PHI of 756 patients in Jan. 2013.

An internal investigation determined an additional three boxes of patients’ records were also lost in Dec. 2012 but the system did not report it until June 2016, according to a press release.

In July 2015, a media reporter shared a photograph on social media of a JHS operating room screen containing a patient’s medical information. An investigation later determined two employees accessed that patient’s electronic medical record without a job-related reason.

In Feb. 2016, JHS reported to the OCR that an employee had been inappropriately accessing and selling more than 24,000 patients’ records beginning in 2011.

Overall, OCR’s investigation revealed JHS failed to provide timely and accurate breach notification to the U.S. Department of Health and Human Services (HHS), conduct system-wide risk analyses and appropriately restrict employees’ access to patient data, among other things.

JHS said it has taken steps to upgrade its software, procedures and staff training related to patient privacy. It also waived its right to a hearing and did not contest the OCR’s findings.

The system operates six major hospitals, a network of urgent care centers, multiple primary care and specialty care centers, long-term care nursing facilities, and corrections health services clinics.

About the Author


Amy is Campus Safety’s Senior Editor. Prior to joining the editorial team in 2017, she worked in both events and digital marketing.

Amy has many close relatives and friends who are teachers, motivating her to learn and share as much as she can about campus security. She has a minor in education and has worked with children in several capacities, further deepening her passion for keeping students safe.

Leading in Turbulent Times: Effective Campus Public Safety Leadership for the 21st Century

This new webcast will discuss how campus public safety leaders can effectively incorporate Clery Act, Title IX, customer service, “helicopter” parents, emergency notification, town-gown relationships, brand management, Greek Life, student recruitment, faculty, and more into their roles and develop the necessary skills to successfully lead their departments. Register today to attend this free webcast!

One response to “Jackson Health System Pays $2.15 Million in HIPAA Fines”

  1. Joe Gomez says:

    whats wrong with people stealing and selling other peoples medical records

Leave a Reply

Your email address will not be published. Required fields are marked *

Get Our Newsletters
Campus Safety Online Summit Promo Campus Safety HQ