Jackson Health System (JHS) has paid a $2.15 million civil monetary penalty to the HHS’ Office for Civil Rights over its failure to comply with multiple provisions of the HIPAA Privacy, Security, and Breach Notification Rules.

The Miami, FL-based nonprofit healthcare provider operates six hospitals, an urgent care center, and several primary care centers and nursing facilities in Florida. The health system serves approximately 650,000 patients and employs around 12,000 individuals.

According to OCR Director Roger Severino, the JHS HIPAA compliance program was ‘in disarray’ and multiple HIPAA violations had occurred between 2013 to 2016.

OCR launched a compliance review following various media reports in which the PHI of a well-known NFL football player was impermissibly disclosed. A reporter had also shared photos of an operating room screen on social media. The photos showed the PHI of the NFL star and one other individual. Those disclosures triggered an OCR HIPAA compliance review in 2015 which uncovered several HIPAA violations.

JHS had reported the loss of two boxes of physical records to OCR in August 2013, which JHS said included the PHI of 756 patients. The boxes of files were lost in January 2013. The investigation into the loss revealed three other boxes of patient files had also been lost in January 2012. Those three boxes contained the records of a further 680 patients. While JHS should have added an addendum to its breach report to OCR stating additional patients had been affected, it took until June 7, 2016 for OCR to be notified. The deadline for notifying OCR of a breach is 60 days from when the breach is discovered. OCR found that in addition to the delayed notification, prior to 2017 JHS did not have policies and procedures in place covering breach notifications.

JHS investigated the media disclosures of PHI and found that two employees had accessed the NFL player’s PHI without authorization. OCR’s investigation uncovered evidence to suggest there was a lack of restriction of access to ePHI, which violated the access control requirements of the HIPAA Security Rule. The level of access given to employees also violated the HIPAA minimum necessary standard.

In February 2016, JHS discovered another employee had been accessing PHI without authorization and had been doing so since 2011. Between 2011 and 2016, the employee impermissibly accessed the records of 24,188 patients. That individual had also been selling patients’ PHI.

The measures put in place to ensure patient privacy were not sufficient to stop the loss of PHI and improper accessing of PHI by the employees. JHS was also not monitoring or reviewing ePHI access logs so was unaware that patient information was being accessed without authorization. If reviews had been conducted, JHS would have learned that rogue employees had been viewing patient information without authorization.

OCR found the risk analyses conducted by JHS and third parties were not comprehensive and did not meet the requirements of the HIPAA Security Rule. Some systems containing ePHI were not included in the risk analyses, some aspects of the HIPAA Security Rule were marked as ‘not applicable’ in the risk analyses when they did apply, and sections of the risk analyses had been left blank.

OCR determined JHS had also failed to reduce risks to the confidentiality, integrity, and availability of ePHI to a reasonable and appropriate level and had even ignored the findings of third-party risk analyses that indicated threats and vulnerabilities to ePHI existed.

Such widespread noncompliance with HIPAA Rules warranted a significant financial penalty. OCR attempted to resolve the HIPAA case informally, but JHS failed to respond. OCR issued a notice of proposed determination which was not contested by JHS and JHS waived the right to a hearing. As such, OCR issued a final determination and JHS paid the full civil monetary penalty of $2,154,000.

“This hospital system’s compliance program failed to detect and stop an employee who stole and sold thousands of patient records; lost patient files without notifying OCR as required by law; and failed to properly secure PHI that was leaked to the media,” said Severino.