Miami-Based Hospital Fined $2.15M for Multiple HIPAA Violations
Miami-based Jackson Health System (JHS) paid the Office for Civil Rights a civil monetary penalty of $2.15 million for multiple HIPAA violations between 2013 and 2016, the agency announced today. Describing Jackson Health’s HIPAA compliance program as in ‘disarray,’ OCR Director Roger Severino says multiple HIPAA violations spurred the hefty civil monetary penalty.
The nonprofit academic medical center operates six major hospitals, an urgent care center network, multiple primary care and specialty centers, nursing facilities, and corrections health services clinics, providing service to about 650,000 patients each year.
The first violation was reported to OCR in August 2013, which noted that the paper records of about 756 patients were lost seven months earlier in January 2013. JHS’ investigation determined an additional three boxes of paper records were also lost in January 2012, impacting an additional 680 patients. However, JHS failed to report the additional loss to OCR until June 7, 2016.
OCR launched an investigation into JHS in July 2015, after a several media reports disclosed a patient’s health information. According to the notice, a reporter shared a photograph of a JHS operating room screen, which showed the medical information of a well-known NFL player on social media.
JHS officials determined two employees accessed the patient’s electronic medical record without a job-related purpose on repeat occasions. These employees were sanctioned, but OCR found that “their broad and excessive access evidences a lack of restriction, review and/or modification of the appropriate levels of access to ePHI.”
On February 19, 2016, JHS again reported a breach to OCR, which showed an employee had been selling patient health information for over five years. The employee in question inappropriately accessed the medical records of more than 24,000 patients – beginning in 2011.
OCR officials determined that JHS failed to provide timely and accurate notification to the Department of Health and Human Services. Not only that, JHS did not conduct an enterprise-wide risk analysis, failed to manage identified risks “to a reasonable and appropriate level,” did not regularly review IT system activity records, nor restrict the authorization of its workforce members’ access to patient records.
“OCR's investigation revealed a HIPAA compliance program that had been in disarray for a number of years,” OCR Director Roger Severino, said in a statement. “[JHS]'s compliance program failed to detect and stop an employee who stole and sold thousands of patient records; lost patient files without notifying OCR as required by law; and failed to properly secure PHI that was leaked to the media.”
“JHS admits that for over five years an employee had access to ePHI that she ‘did not have the proper authorization or authority to access’ despite having written policies and procedures in place, demonstrating a failure to implement such policies on an operational basis,” it added.
JHS did not contest OCR’s findings and waived its right to a hearing. OCR issued a final determination and JHS has already paid the full civil monetary penalty. A complete list of HIPAA violations can be reviewed with OCR and should serve as a learning tool for covered entities.