In what seems to be one of the biggest HIPAA fines imposed by OCR for the current year – Jackson Health Systems, Florida was charged a US$ 2.15 million fine on account of three separate HIPAA violation instances.
Earlier, Jackson Health Systems based on the guidelines set by HIPAA Breach Notification Rule notified the Department of Health and Human Service’s (HHS) Office of Civil Rights (OCR) that Protected Health Information (PHI) paper records of 256 patients stored in 3 boxes were lost in 2012. But this number was corrected in 2016 and it went up to 1,436 PHI patient records. The HIPAA Breach Notification Rule specifically requires the concerned entities to notify the patients and the Department of Health and Human Services of any physical or electronic breach. It also states that if more than 500 PHI records were compromised then a notification about the same is to be given to the press.
During the investigation in July 2015, OCR came across a shared photograph of a Jackson Health Systems operating room screen. This image showed the patients’ medical information and was circulated on social media without acquiring required patient consent. This violated the HIPAA Privacy Rule – which requires an entity to protect individuals’ medical records and other personal health information across all mediums. Patient’s PHI records at no point can be shared or displayed without their authorization or consent.
The third story is a recurring instance where an employee of Jackson Health Systems knowingly with an intent of identity theft leaked and sold around 2,000 PHI patient records. Reportedly, this employee had access to PHI records of around 24,000 patients and the authorities were in the dark about it from 2011 to 2016.
OCR also reported a few security concerns which if taken care of could have minimized the damages caused:
- The breach was not reported by Jackson Health System when it was first noticed. An accurate breach report during the first breach instance itself would have helped JHS define effective and more stringent security measures avoiding further penetration attempts.
- It did not take enough measures to identify risks and regularly carry-out IT audits. IT audits help in identifying threat elements and defining a secure architecture for any organization.
- Although a third-party risk assessment firm recommended a few measures in 2014, findings suggest they were not effectively implemented.
They are now said to have upgraded and implemented their software and other procedures along with HIPAA related training process to its entire workforce in phases. The Jackson spokesperson said, “(We) recognized and reported (the privacy breaches) because strong organizations like ours admit their errors clearly, learn from them thoughtfully, and take decisive action to prevent them in the future.”