On October 23, 2019, the U.S. Department of Health and Human Services, Office for Civil Rights (“HHS”) announced a $2,154,000 civil money penalty for numerous violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security and Breach Notification Rules between 2013 and 2016.

According to HHS, Jackson Health System (“JHS”) is a medical system based in Florida and provides health care to 650,000 patients on average each year.

According to the HHS Notice of Proposed Determination, the HIPAA violations committed by JHS included:

  • In 2013, JHS lost paper records for 1,471 patients.
  • In 2015, there were media reports disclosing the protected health information (“PHI”) of a well-known NFL player who was a patient.  An ESPN reporter had shared a photograph of an electronic display board in a JHS operating room and paper schedule, both of which contained the PHI of the patient.
  • In 2016, JHS reported that one if its employees had been selling patient information since 2011, and that employee had inappropriate accessed 24,188 patient records.
  • JHS failed to provide timely and accurate breach notifications or conduct the appropriate steps to identify and remediate potential risks for additional violations.

JHS waived its right to a hearing and did not contest the findings.  It has paid the $2,154,000 civil monetary penalty.

You can read the HHS Press Release, the Notice of Proposed Determination and the Notice of Final Determination here: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/jackson/index.html

If your office would like guidance on how it can prevent HIPAA violations from occurring, or how to handle a HIPAA violation, please contact our firm.

Danielle Dietrich is a healthcare and litigation attorney in Tucker Arensberg’s Long Term Care Practice Group. She is licensed to practice law in Pennsylvania, Ohio and West Virginia.  Danielle can be reached via email: ddietrich@tuckerlaw.com, telephone: 412-594-5605 or on Twitter at @DLDietrich.