Jackson Health System Paid in $2.15 Million Civil Monetary Penalty for Multiple HIPAA Violations

The Department of Health and Human Services’ Office for Civil Rights charged Jackson Health System (JHS) with a civil monetary penalty amounting to $2.15 million. JHS is a nonprofit academic medical system located in Miami, FL, which has violated HIPAA Security Rule, Privacy Rule, and Breach Notification Rule in multiple cases.

OCR learned in July 2015 that some media reports involved impermissible disclosure of PHI of a patient who was a famous NFL football player. A media reporter shared photos of a display board with a schedule inside the operating room. OCR began an investigation of the incident in October 2015 and made a compliance evaluation of the impermissible disclosure.

JHS investigated the report and confirmed that there was a photo of PHI of two patients, one of which was a very well known person in the community. Based on the internal investigation, an employee who was not authorized accessed patient data beginning in 2011. Since then, the unauthorized employee already accessed the data of 24,188 patients and offered the data for sale.

HIPAA 45 C.F.R. § 164.308(a)(l) requires covered entities to implement policies and procedures to prevent, manage, and deal with security violations. However, so as to manage risks and minimize them to a realistic and acceptable level, 45 C.F .R. §164.308(a)(l)(ii){A) requires a covered entity to conduct a comprehensive risk analysis to ensure that all risks to PHI confidentiality, availability and integrity are identified.

On many occasions, OCR inquired JHS’ risk analyses documentations. JHS presented the documentation of its internal analysis from the years 2009, 2012, and 2013. Some documentation of risk analyses were done by third parties for the years 2014 to 2017.

OCR learned that prior to 2017, JHS’ risk analyses had markings of non-applicable in different aspects of the HIPAA Security Rule. Hence, there was a risk analysis failure in 2014 considering that JHS did not cover all ePHI and identify all risks to ePHI. There was likewise no documentation presented by JHS that proves the setup of controls to minimize all threats to ePHI to an acceptable level, even when the third party that did the 2014 risk analysis gave its recommendations. There was the same mistake in risk analysis in 2015 to 2017.

OCR investigators similarly discovered that JHS did not routinely review evaluations of data system activity like the audit logs, violating 45 C.F.R. § 164.308(l)(ii)(D).

OCR determined that from July 22, 2013 to January 27, 2016, JHS did not enforce the policies and procedures to stop, identify, control, and correct security violations. JHS also violated the HIPAA Privacy Rule violation because it did not put in sufficient effort to restrict PHI access of some employees, hence there were unauthorized access and impermissible disclosures. It also did not restrict access to PHI to the least required data as per 45 C.F.R. §164.308(a)(4) and 45 C.F.R. § 164.514(d). On various occurrences, unauthorized employees had accessed the records of the patients even if there’s no treatment relationship between the two or the patients already had ended their treatment relationship with the provider.

Another violation of JHS is not reporting a breach within 60 days after knowing about it as required by the HIPAA Breach Notification Rule, 45 C.F.R. § 164.408(b). For example, in 2013, the case of missing boxes of files was not reported by JHS for 160 days. JHS furthermore admitted that its company had no policies covering breaches prior to October 2013.

OCR attempted to resolve the HIPAA violations by means of informal approaches, but JHS didn’t comply resulting in the issuance of a Notice of Proposed Determination by OCR. Because JHS did not assert its right to a hearing, OCR issued a Notice of Final Determination. JHS, without contesting, paid $2,154,000 to settle the financial penalty.

This is the second financial penalty issued by OCR for a HIPAA violation this month and the fifth this year. The first financial penalty issued this month was against Elite Dental Associates, which paid $10,000 in relation to a disclosure of patients’ PHI on Yelp.

Other settlements this year comprise of Touchstone Medical Imaging ($3,000,000), Bayfront Health St Petersburg ($85,000), and Medical Informatics Engineering ($100,000).