The Department of Health and Human Services’ Office for Civil Rights has sanctioned a $2.15 million civil monetary penalty against the Miami, FL-located nonprofit academic medical system, Jackson Health System (JHS), for a slew of breaches of HIPAA Privacy Rule, Security Rule, and Breach Notification Rule.
In July 2015, OCR became aware of many media reports in which the PHI of a patient was impermissibly shared. The person was a well-known NFL football player. Photographs of an operating room display board and schedule had also been published on social media by a reporter. OCR launched a review in October 2015 and opened a compliance review in relation to the impermissible disclosure.
JHS looked into the matter and submitted a report confirming a photograph was taken in which two patients PHI could be viewed, including the PHI of a well-known person in the community. The internal review that an employee had been accessing patient information without authorization since 2011. During that time, the employee had obtained the records of 24,188 patients without any legitimate work reason for doing so and had been selling that data.
HIPAA requires covered groups to implement policies and procedures to prevent, contain, and correct security breaches – 45 C.F.R. § 164.308(a)(l) – however, before risks can be managed and cut to a reasonable and acceptable level, a covered entity must conduct a thorough risk analysis – 45 C.F .R. §164.308(a)(l)(ii){A) – to ensure that all risks to the confidentiality, integrity, and availability of PHI are identified.
On many occasions, OCR requested documentation on risk analyses at JHS. JHS supplied documentation on internal assessments from 2009, 2012, and 2013, and risk analyses carried out by third parties in 2014, 2015, 2016, and 2017.
OCR discovered that before 2017, JHS had erroneously marked many aspects of the HIPAA Security Rule as non-applicable in the risk analyses. A risk analysis failure took place in 2014 as it had failed to cover all ePHI and did not identify all risks to ePHI included in JHS systems. JHS had also failed to provide documentation confirming measures had been put in place to reduce all risk to ePHI to a reasonable and acceptable level, even though recommendations had been made by the business that performed the 2014 risk analysis.
Similar risk analysis failures took place during 2015. Some sections of the risk analysis carried out by a third party had not been completed, the risk analysis failed to cover all ePHI, and documentation could not be supplied confirming risk management efforts had happened. It was a similar story in 2016, and the 2017 risk analysis was not in depth.
OCR investigators also discovered reviews of information system activity such as audit logs had not been regularly overlooked, in violation of 45 C.F.R. § 164.308(l)(ii)(D).
OCR also found that between July 22, 2013 and January 27, 2016, policies and procedures had not been configured to stop, detect, contain, and correct security violations. The HIPAA Privacy Rule had also been violated, as reasonable efforts were not made to control certain employees’ access to PHI, which had led to unauthorized access and impermissible sharing. Access to PHI was also not restricted to the minimum necessary information, in breach of 45 C.F.R. §164.308(a)(4) and 45 C.F.R. § 164.514(d).
On many different occasions employees had accessed records without authorization when there was no treatment relationship with a patient, and also after a treatment relationship had been finished.
JHS had also breached the HIPAA Breach Notification Rule by failing to report a breach within 60 days of discovery in violation of 45 C.F.R. § 164.408(b). The loss of boxes of files in 2013 was not reported for 160 days. JHS also admitted that it did not have policies in place covering PHI breaches earlier than October 2013.
OCR tried to address the HIPAA violations via informal means, but JHS failed to adhere, which led to OCR issuing a Notice of Proposed Determination. JHS waived its right to a hearing and OCR issued a Notice of Final Determination, which was not contested and JHS paid the full financial penalty of $2,154,000.
OCR Director Roger Severino OCR’s said: “This hospital system’s compliance program failed to detect and stop an employee who stole and sold thousands of patient records; lost patient files without notifying OCR as required by law; and failed to properly secure PHI that was leaked to the media.”
This is the second fine for a HIPAA covered entity to be made public this month and the fifth penalty to be issued in 2019.