The headline speaks for itself. On October 15, 2019, the Office for Civil Rights (OCR) at the Department of Health and Human Services (HHS) imposed a $2.15 civil monetary penalty against Miami-based Jackson Health Systems (JHS). OCR based the hefty fine on a multitude of HIPAA violations, which occurred over a six-year period of time.
What Is the $2.15 Million Civil Monetary Penalty Based On?
JHS is a fairly large player in the healthcare market. This nonprofit academic medical system operates:
- Six major hospitals,
- A network of urgent care centers,
- Multiple primary care and specialty care centers,
- Long-term care nursing facilities, and
- Corrections health services clinics.
In all, JHS provides health services to approximately 650,000 patients each year, and employs about 12,000 individuals.
The $2.15 million civil monetary penalty HIPAA JHS horror show began – publicly, anyway, in 2013.
In August of 2013, JHS issued a breach report to OCR, informing OCR that JHS had lost paper records containing the protected health information (PHI) of 765 patients earlier that year.
This report did not tell the whole story, however. JHS’s internal investigation had concluded that an additional three boxes of patient records were also lost in December 2012. However, JHS did not report the additional loss, or the increased number of individuals affected to 1,436 until June 7, 2016.
It gets worse.
In February of 2016, JHS submitted yet another breach report to OCR. In this report, JHS informed OCR that a single employee had been inappropriately accessing, and then selling, patient PHI. The employee had inappropriately accessed over 24,000 patients’ records since 2011.
OCR’s most recent investigation of JHS led OCR to conclude that JHS:
- Failed to provide timely and accurate breach notification to the Secretary of HHS,
- Failed to conduct enterprise-wide risk analyses,
- Failed to manage identified risks to a reasonable and appropriate level,
- Failed to regularly review information system activity records, and
- Failed to restrict authorization of its workforce members’ access to patient ePHI to the minimum necessary to accomplish their job duties.
Perhaps not surprisingly, in light of the above, JHS waived its right to a hearing, and did not contest OCR’s findings. JHS has paid the full $2.15 million civil monetary penalty.
The $2.15 million civil monetary penalty, all the same, shows the dramatic consequences of systematic violation of the HIPAA law and rules.
Alone, an anonymous caller notified JHS’ Office of Compliance and Ethics in January of 2016 that an employee was selling patients’ electronic protected health information – for over five years. Had the caller not acted, JHS might have gotten away with falsely insisting adequate procedures were in place.
“JHS admits that for over five years an employee had access to ePHI that she ‘did not have the proper authorization or authority to access’ despite having written policies and procedures in place, demonstrating a failure to implement such policies on an operational basis,” it added.