The Department of Health and Human Services’ Office for Civil Rights has charged a civil monetary penalty in the amount of $2.15 million against Jackson Health System (JHS), a nonprofit academic medical system based in Miami, FL, for a number of violations of HIPAA Security Rule, Privacy Rule, and Breach Notification Rule.
In July 2015, OCR learned about a number of media reports involving impermissible disclosure of a patient’s PHI. The person was a popular NFL football player. A reporter shared images of a display board and schedule in the operating room. OCR started an investigation in October 2015 and permitted a compliance review about the impermissible disclosure.
JHS looked into the incident and sent in a report verifying that there was a photograph in which the PHI of two patients was visible, which includes the PHI of a highly respected individual in the community. According to the internal investigation, a staff was accessing patient data with no authorization beginning 2011. In the course of that time, the staff accessed the information of 24,188 patients with no authorized work reason and sold the data.
HIPAA calls for covered entities to have policies and procedures to stop, manage, and resolve security violations,45 C.F.R. § 164.308(a)(l). But, in order to manage risks and reduce them to a reasonable and agreeable level, a covered entity needs to do an extensive risk analysis, 45 C.F .R. §164.308(a)(l)(ii){A) to make sure that all threats to the confidentiality, availability and integrity of PHI are determined.
On a number of occasions, OCR asked JHS for documents on risk analyses. JHS provided documentation on internal analysis from 2009, 2012, and 2013, as well as risk analyses in 2014, 2015, 2016, and 2017 performed by third parties.
OCR found out that before 2017, JHS had wrongly marked as non-applicable various facets of the HIPAA Security Rule in the risk analyses. Thus, a risk analysis failure happened in 2014 since it was unable to cover all ePHI and failed to determine all risks to ePHI included within JHS systems. There was also no documentation provided by JHS that support the implementation of measures to minimize all risk to ePHI to an acceptable and suitable level, even if the company that did the 2014 risk analysis had given its recommendations.
The same pitfall of risk analysis happened in 2015. Certain sections of the risk analysis performed by a third party were not completed, the risk analysis did not cover all ePHI, and there was no documentation given to confirm the conduct of risk management efforts. It was the same story in 2016, while the 2017 risk analysis wasn’t all-inclusive.
OCR investigators likewise found out that reviews of data system activity including audit logs were not routinely reviewed, violating 45 C.F.R. § 164.308(l)(ii)(D).
OCR likewise identified that from July 22, 2013 to January 27, 2016, policies and procedures were not enforced to stop, identify, manage, and resolve security violations. There was also HIPAA Privacy Rule violation as there were no reasonable efforts made to restrict some employees’ PHI access, which had resulted in unauthorized access as well as impermissible disclosures. PHI access was not restricted to the least required information, violating 45 C.F.R. §164.308(a)(4) and 45 C.F.R. § 164.514(d).
On a number of instances, employees had viewed records with no authorization as the employees didn’t have treatment relationships with the patients, or the treatment relationship had ended.
JHS likewise violated the HIPAA Breach Notification Rule for not reporting a breach within 60 days after its discovery, which is a violation of 45 C.F.R. § 164.408(b). For instance, in 2013, JHS did not report the missing boxes of files for 160 days. JHS additionally confessed that it didn’t have policies that cover PHI breaches before October 2013.
OCR tried to fix the HIPAA violations through informal methods, however, JHS did not comply, which resulted in OCR giving a Notice of Proposed Determination. JHS refrained to claim its right to a hearing and so OCR passed a Notice of Final Determination, which JHS did not contest paying $2,154,000 for the entire financial penalty.
The investigation of OCR exposed a HIPAA compliance program that was in disarray for many years. The JHS system’s compliance program was unable to identify and prevent an employee who took and sold countless numbers of patient information; lost patient documents and did not notify OCR as mandated by law, and did not appropriately protect PHI that leaked out to the media.
This case of JHS is the second financial penalty for a HIPAA violation published this month and the fifth published in 2019. In the early part of this month, Elite Dental Associates resolved its HIPAA violation case by paying OCR $10,000 after patients’ PHI was disclosed on the Yelp review site.
Other settlements resolved earlier this year include Touchstone Medical Imaging ($3,000,000), Medical Informatics Engineering ($100,000), and Bayfront Health St Petersburg ($85,000).