Jackson Health’s multiple HIPAA violations result in $2.15M penalty

Featured image

Share this article

doctor and patient looking at xray

As first reported by Health IT Security, Miami-based Jackson Health System (JHS) got hit with a $2.15 million penalty for multiple HIPAA violations between 2013 and 2016. The nonprofit medical center serves about 650,000 patients annually and runs six major hospitals, nursing facilities, primary care and specialty centers, an urgent care center network, and corrections health services clinics. 

In August 2013, the first violation was reported to the Office for Civil Rights (OCR) concerning the paper records of 756 patients that were lost in January 2013. Three additional boxes of paper records of 680 patients were lost in January 2012. JHS failed to report the additional loss to the OCR until June 2016. 

OCR investigates JHS after media reports 

In July 2015, OCR launched an investigation after media reports disclosed a patient’s health information. A reporter shared a photo of a JHS operating room screen that displayed the medical information of a well-known NFL player.  

In February 2016, JHS reported a breach to OCR concerning an employee who had been selling patient health information for over five years. The employee accessed the medical records of more than 24,000 patients. OCR determined that JHS did not provide timely and accurate notification to the Department of Health and Human Services. 

JHS fails to remedy risks, threats, and vulnerabilities 

In response to several data requests, JHS provided risk analyses conducted by a third-party vendor. The vendor mistakenly identified provisions of the Security Rule as not applicable to JHS. It also failed to include all electronic patient health information created, received, maintained or transmitted by JHS and did not identify or remedy all the risks in its systems.    

The OCR reported that “an anonymous caller notified JHS’s Office of Compliance and Ethics on January 4, 2016, that an employee was selling patients’ ePHI.” This and other inconsistencies demonstrated to OCR a “failure to implement written policies and procedures on an operational basis.” 

Conclusion

The OCR issued its final determination of a $2.15 million civil monetary penalty. In response, JHS waived its right to a hearing and did not contest the findings. JHS has already paid the full penalty and covered entities can review the complete list of its HIPAA violations as a learning tool.

Try Paubox Email Suite for FREE today.
Author Photo

About the author

Rick Kuwahara

Rick Kuwahara is COO and Chief Compliancy Officer for Paubox.

Read more by Rick Kuwahara

Get started with
end-to-end protection

Bolster your organization’s security with healthcare’s most trusted HIPAA compliant email solution

The #1-rated email encryption 
and security software on G2

G2 Badge: Email Encryption Leader Fall 2022
G2 Badge: Security Best Usability Fall 2022
G2 Badge: Encryption Momentum Leader Fall 2022
G2 Badge: Security Best Relationship Fall 2022
G2 Badge: Security Users Most Likely to Recommend Fall 2022
G2 Badge: Email Gateway Best Relationship Fall 2022
G2 Badge: Email Gateway Best Meets Requirements Fall 2022
G2 Badge - Users Most Likely to Recommend Summer 2022
G2 Badge: Email Gateway Best Results Fall 2022
G2 Badge: Email Gateway Best Usability Fall 2022
G2 Badge: Email Gateway Best Support Fall 2022
G2 Badge: Email Gateway Easiest To Use Fall 2022
G2 Badge: Email Gateway Easiest Setup Fall 2022
G2 Badge: Email Gateway Easiest Admin Fall 2022
G2 Badge: Email Gateway Easiest to do Business with Fall 2022
G2 Badge: Email Gateway Highest User Adoption 2022
G2 Badge: Email Gateway High Performer Fall 2022
G2 Badge: Email Gateway Momentum Leader Fall 2022
G2 Badge: Email Gateway Most Implementable Fall 2022
G2 Badge: Email Gateway Users Most Likely to Recommend Fall 2022