Jackson Health System Receives $2.15 Million Penalty for HIPAA Violations

The U.S. Department of Health and Human Services Office for Civil Rights (OCR) imposed a $2,154,000 civil money penalty against Jackson Health System (JHS), a nonprofit academic medical system in Florida, for numerous violations of the Health Insurance Portability and Accountability Act (HIPAA) that occurred between 2013 and 2016.

The HIPAA violations included the loss of 756 paper patient records containing Protected Health Information (PHI); unauthorized employee access of patient medical records; social media posting made by a reporter which documented an operating room electronic display board containing protected health information; and additional unauthorized employee access to 24,188 medical records in which the employee later sold the improperly obtained protected health information. Most of these violations were reported to OCR through Breach Notification Reports, as mandated by HIPAA, but many reports were not timely submitted.

OCR’s investigation revealed that JHS conducted internal investigations in 2009, 2012, and 2013, and later sought external third-party risk analyses from 2014 to 2017. Despite the intent of these measures, OCR found that JHS did not adequately remediate the risks, threats, and vulnerabilities identified by the risk analyses. JHS failed to provide evidence of implementing new policies or procedures based on the risk analyses results, and also failed to impose reasonable security measures following several HIPAA breaches. Furthermore, JHS failed to properly restrict employee access to patients’ protected health information in compliance with the minimum necessary standard.

Covered entities and business associates must implement and follow comprehensive HIPAA policy and procedure manuals. As established by this penalty, the completion of risk analyses and development of HIPAA policy manuals are insufficient to demonstrate compliance. Rather, the existence of these documents, when not properly addressed and enforced, may be considered an aggravating factor when reviewed by OCR. Contact Frier Levitt today for a review of your practice’s policies and procedures to ensure compliance with both federal and state law.