OCR fines Jackson Health System $2.2M for multiple HIPAA violations
Jackson Health System in Miami will pay a penalty of $2.2 million for data breaches and failures to comply with the HIPAA security and breach notification rules. These incidents at the six-hospital delivery system, which serves about 650,000 patients annually, occurred from 2013 to 2016. The most egregious breach may have been submitted in a […]
These incidents at the six-hospital delivery system, which serves about 650,000 patients annually, occurred from 2013 to 2016.
The most egregious breach may have been submitted in a breach report to the HHS Office for Civil Rights in February 2016, after the organization learned that an employee had been selling protected health information. The investigation found the employee had inappropriately accessed more than 24,000 patient records since 2011.
Jackson Health System also had problems handling paper records, submitting a breach report in August 2013 indicating that it lost the records of 756 patients that January. An internal investigation then found an additional three boxes of patient records also had been lost in December 2012. The organization did not announce the losses of patient records until June 2016.
In July 2015, OCR launched another investigation of Jackson Health System after a media report disclosed a patient’s protected health information. A reporter shared a photograph of an operating room screen that displayed the patient’s online social media. A subsequent investigation by the organization found two employees had accessed the patient’s electronic medical record without a job-related purpose.
Overall, OCR found that Jackson Health System failed to provide timely breach notifications to the government and did not conduct enterprisewide risk analyses, manage identifiable risks to a reasonable and appropriate level, further failed to regularly review information system activity records, and did not restrict authorization of its workforce members’ access to patient protected health information to the minimum necessary to accomplish job duties.
Jackson Health System did not contest OCR’s findings and paid the full civil monetary penalty.
The organization submitted the following statement. “Protecting patient privacy is a top priority at Jackson Health System, and we’re disappointed whenever we fall short of our high expectations. We have taken extensive steps to upgrade our software, procedures and staff training regarding privacy protections.”