A Florida health system has paid $2.1 million to HHS' Office for Civil Rights in one of the biggest HIPAA fines this year.
The OCR imposed the fine on Jackson Health System, an academic health system based in Miami, after an investigation revealed three separate HIPAA violations since 2013. Jackson Health System waived its right to a hearing and did not contest the OCR's findings. It has already paid the civil money penalty in full, according to the OCR.
"OCR's investigation revealed a HIPAA compliance program that had been in disarray for a number of years," OCR Director Roger Severino said in a statement Thursday.
The largest data breach, which Jackson Health System reported to the OCR in 2016, involved an employee inappropriately accessing—and sometimes selling—more than 24,000 patients' records, beginning in 2011. An OCR investigation found the health system had failed to provide timely breach notification to HHS and to appropriately restrict employees' access to patient data, among other issues.
The other two HIPAA violations involved a leak of patient health information to the media and a loss of paper records.
In 2015, the OCR began an investigation after a reporter shared a photograph that included an operating room screen containing a patient's medical information on social media. As a result of the investigation, Jackson Health System determined that two employees had inappropriately accessed the patient's electronic medical record.
In 2013, Jackson Health System reported to the OCR that its health information management department had lost paper records of 756 patients earlier that year. An internal investigation at Jackson Health System later revealed that an additional three boxes of patient records were lost in late 2012, but the health system did not report the increase in affected patients until 2016.
"This hospital system's compliance program failed to detect and stop an employee who stole and sold thousands of patient records; lost patient files without notifying OCR as required by law; and failed to properly secure PHI that was leaked to the media," Severino said.
Jackson Health System said it has taken steps to upgrade its software, procedures and staff training related to privacy.
"Protecting patient privacy is a top priority at Jackson Health System, and we're disappointed whenever we fall short of our high expectations," a spokesperson for the health system said. "Jackson recognized and reported this because strong organizations like ours admit their errors clearly, learn from them thoughtfully, and take decisive action to prevent them in the future."
Jackson Health System's fine marks one of the OCR's largest settlements this year.
Touchstone Medical Imaging agreed to pay the OCR $3 million in May, marking the largest HIPAA fine announced by the OCR in 2019. The diagnostic medical imaging services company allegedly exposed more than 300,000 patients' protected health information by not adequately restricting access to information on one of its servers.