Miami health system to pay $2.15M for HIPAA violations
Posted on: Friday, October 25, 2019 By: KorchekStaff
Miami-based Jackson Health System was slapped with a $2.15 million fine from HHS' Office for Civil Rights for HIPAA violations that spanned between 2013 and 2016, according to an Oct. 23 news release.
The ORC's complete investigation found that JHS failed to provide timely and accurate breach notification to HHS, conduct enterprise-wide risk analyses, manage identified risks to an appropriate level, review information system activity records, and restrict authorization to access patient information.
In August 2013, the health system submitted a data breach report to OCR, indicating that 756 patients may have had their information exposed after the Miami health information department lost a box of patient records. An internal investigation by JHS determined that three other boxes of patient information were also lost. However, the health system didn't report this information to OCR until June 2016.
After a media report disclosed the protected health information of a JHS patient, OCR began investigating this security incident at the health system in July 2015. A reporter had shared a photograph of an operating room screen that showed a patient's medical information on social media. The health system determined that two employees had illegally gained access to that patient's electronic record.
On a separate occasion in February 2016, JHS notified the OCR that an employee was selling patients' protected health information. The employee had viewed more than 24,000 patient records since 2011.
"OCR's investigation revealed a HIPAA compliance program that had been in disarray for a number of years," said OCR Director Roger Servino. "This hospital system's compliance program failed to detect and stop an employee who stole and sold thousands of patient records; lost patient files without notifying OCR as required by law; and failed to properly secure PHI that was leaked to the media."