The U.S. Department of Health and Human Services Office for Civil Rights (OCR) has collected over $2.15 million in civil penalties from Miami-based Jackson Health System (JHS) for multiple violations of the Security and Breach Notification Rules under HIPAA. JHS is a nonprofit academic medical system that serves approximately 650,000 patients a year in six major hospitals and a network of affiliated healthcare facilities. This is the first publicized imposition of civil monetary penalties under HIPAA in recent years, in contrast to the many publicized settlements of alleged violations, indicating that JHS’ violations were severe.

Problems began for JHS when the system submitted a breach report to OCR in April 2013, stating that its information management department had lost paper records containing the protected health information (PHI) of 756 patients in January of that year. An internal investigation discovered that additional paper records had been lost in December 2012, bringing the number of affected patients to 1,436; JHS did not report this additional loss, however, until June 2016. JHS filed another breach report with OCR in February 2016, reporting that an employee had inappropriately accessed the records of over 24,000 patients since 2011 and had been selling their PHI.

A separate investigation was launched by OCR in July 2015 after a reporter shared a photo on social media that contained a patient’s PHI displayed on a JHS operating room screen. OCR found various defects in JHS’ compliance program, including failure to provide appropriate breach notification to HHS, conduct enterprise-level risk analyses, reasonably and appropriately manage identified risks, review information system activity records on a regular basis, and restrict the authority of its personnel to access PHI to the minimum necessary to accomplish their duties. Per OCR Director Roger Severino, the investigation “revealed a [compliance] program that had been in disarray for a number of years… [JHS’] compliance program failed to detect and stop an employee who stole and sold thousands of patient records; lost patient files without notifying OCR as required by law; and failed to properly secure PHI that was leaked to the media.” JHS waived its right to a hearing, did not contest OCR’s findings in the resulting Notice of Proposed Determination, and paid the penalty under OCR’s Notice of Final Determination, which may be found here.

Civil money penalties under HIPAA are imposed under a tiered system that takes into consideration the degree to which the entity was aware that HIPAA Rules were being violated. Tier 1 penalties range from $100 to $50,000 per violation of which the entity is unaware, and are capped at $25,000 per year. Tier 4 violations, at the top end of the spectrum, are set at $50,000 per violation involving the entity’s willful neglect, and are capped at $1.5 million per year. OCR considered the widespread and longstanding extent of JHS’ violations, the high level of harm resulting from those violations, JHS’ poor history of compliance, and failure to provide written evidence of mitigation in determining the amount of JHS’ penalty. OCR ultimately determined that Tier 2 penalties, which are based on reasonable cause and not willful neglect, were appropriate.

Covered entities and business associates should consider it a best practice to review their entire HIPAA compliance program in the event that they experience a breach. Further, given the emphasis on JHS’ poor breach notification history, entities should consult legal counsel to ensure the proper process is followed.