Jackson Health System Pays $2.15 Million in HIPAA Fines

An investigation revealed three separate HIPAA violations, including an employee accessing and selling more than 24,000 patients’ records.

Jackson Health System Pays $2.15 Million in HIPAA Fines

The Office for Civil Rights (OCR) fined a Miami-based academic health system for violating the Health Insurance Portability and Accountability Act (HIPAA).

Jackson Health System (JHS) paid $2.15 million after an investigation revealed three separate HIPAA violations since 2013, reports Modern Healthcare.

“OCR’s investigation revealed a HIPAA compliance program that had been in disarray for a number of years,” said OCR Director Roger Severino. “This hospital system’s compliance program failed to detect and stop an employee who stole and sold thousands of patient records; lost patient files without notifying OCR as required by law; and failed to properly secure PHI [protected health information] that was leaked to the media.”

In Aug. 2013, JHS submitted a breach report to OCR stating its Health Information Management Department had lost paper records containing the PHI of 756 patients in Jan. 2013.

An internal investigation determined an additional three boxes of patients’ records were also lost in Dec. 2012 but the system did not report it until June 2016, according to a press release.

In July 2015, a media reporter shared a photograph on social media of a JHS operating room screen containing a patient’s medical information. An investigation later determined two employees accessed that patient’s electronic medical record without a job-related reason.

In Feb. 2016, JHS reported to the OCR that an employee had been inappropriately accessing and selling more than 24,000 patients’ records beginning in 2011.

Overall, OCR’s investigation revealed JHS failed to provide timely and accurate breach notification to the U.S. Department of Health and Human Services (HHS), conduct system-wide risk analyses and appropriately restrict employees’ access to patient data, among other things.

JHS said it has taken steps to upgrade its software, procedures and staff training related to patient privacy. It also waived its right to a hearing and did not contest the OCR’s findings.

The system operates six major hospitals, a network of urgent care centers, multiple primary care and specialty care centers, long-term care nursing facilities, and corrections health services clinics.

About the Author

Contact:

Amy is Campus Safety’s Senior Editor. Prior to joining the editorial team in 2017, she worked in both events and digital marketing.

Amy’s mother, brother, sister-in-law and a handful of cousins are teachers, motivating her to learn and share as much as she can about campus security. She has a minor in education and has worked with children in several capacities, further deepening her passion for keeping students safe.

In her free time, Amy enjoys exploring the outdoors with her husband, her son and her dog.

Read More Articles Like This… With A FREE Subscription

Campus Safety magazine is another great resource for public safety, security and emergency management professionals. It covers all aspects of campus safety, including access control, video surveillance, mass notification and security staff practices. Whether you work in K-12, higher ed, a hospital or corporation, Campus Safety magazine is here to help you do your job better!

Get your free subscription today!


One response to “Jackson Health System Pays $2.15 Million in HIPAA Fines”

  1. Joe Gomez says:

    whats wrong with people stealing and selling other peoples medical records

Leave a Reply

Your email address will not be published. Required fields are marked *

Get Our Newsletters
Campus Safety HQ