- The fine has been imposed by the Office for Civil Rights (OCR).
- OCR disclosed that JHS violated the Health Insurance Portability and Accountability Act (HIPAA) multiple times between 2013 and 2016.
The Florida-based healthcare provider Jackson Health System (JHS) has agreed to pay a full fine of $2.15 million for a series of HIPAA violations. The fine has been imposed by the Office for Civil Rights (OCR).
Purpose of fine
- According to the information shared with the U.S. Department of Health Services (DHS), OCR disclosed that JHS violated the Health Insurance Portability and Accountability Act (HIPAA) multiple times between 2013 and 2016.
- In 2013, JHS had notified OCR that paper records of 256 patients located in three boxes were lost in 2012. However, in 2016, healthcare rectified the numbers and said the loss was actually of 1,436 patients’ records.
- Moreover, during the investigation in July 2015, OCR found that a reporter “shared a photograph of a JHS operating room screen containing the patients’ medical information on social media”. After this, JHS subsequently determined that an employee had inappropriately accessed and sold patients’ electronic medical records.
The big picture
Following a series of mishaps, JHS submitted a breach report to OCR in February 2016. It informed that an employee of JHS had been selling PHI of patients. The employee had unauthorized access to 24,188 patients’ records since 2011, OCR said.
During the investigation, OCR also discovered several other security issues:
- JHS did not provide timely and accurate breach notification.
- It failed to conduct risk analyses, manage identified risks, regularly review information system activity records and restrict workforce members’ access to PHI.
- It failed to take extensive steps to remediate risks, threats, and vulnerabilities identified during the 2014 risk analysis. The recommendations were provided by a third-party who conducted the risk analysis.
JHS responds by upgrading software
Apart from agreeing to pay the fine, Jackson Health System has taken concrete measures to upgrade its software and procedures. It has also decided to impart privacy-related training to its staff.