By: Dave Davidson
The Office of Civil Rights within the U.S. Department of Health and Human Services recently imposed $2,154,000 in civil money penalties against Jackson Health System in Miami, Florida for multiple violations of HIPAA. The majority of the penalties were due to violations of the HIPAA Security and Breach Notification Rules, rather than for the actual breaches of confidentiality. This action by the government underscores the importance of complying with all of HIPAA, and not just the requirements to safeguard Protected Health Information.
Jackson Health’s first violation involved a breach report filed with the Office of Civil Rights in August 2013. This disclosure reported that the Jackson system’s Health Information Management Department had lost hard copy records of 756 patients. Although this report complied with HIPAA, Jackson subsequently discovered that the records for an additional 680 patients were also lost, but did not report this discovery until 2016.
The next HIPAA compliance breach occurred in 2015 when two Jackson Health employees improperly accessed an NFL player’s medical records. Shortly after the breach, national media outlets began to report that the player had a finger amputated at the hospital. The reports included a photograph of the patient’s record and a schedule containing the patient’s Protected Health Information.
Finally, in February 2016 Jackson Health reported that beginning in 2011, an employee had improperly accessed the records of 24,188 patients, and had actually sold some of the information.
In considering these HIPAA compliance-relatedcases, the Office of Civil rights determined that the violations were due to Jackson Health’s inadequate risk analyses and insufficient restriction of the employee access to Protected Health Information. In setting the penalties, the Office of Civil Rights considered the nature and extent of the violations, the resulting harm, Jackson’s history of compliance, its financial condition, and the system’s cooperation in the investigation. The penalty broke down as follows:
$1,500,000 for violating the Notification Rules;
$328,000 for Information Access Management breaches; and
$326,000 for Security Management Process violations.
Given the significance of this penalty, providers are cautioned to follow all of HIPAA’s requirements, both in regard to maintaining the confidentiality of Protected Health Information, as well as in how they respond when a breach of that confidentiality is discovered.