The U.S. Department of Health and Human Services Office of Civil Rights (OCR) imposed $2,154,000 in civil monetary penalties against Jackson Health System in Florida for failing to meet HIPAA privacy and security requirements. The OCR announcement and accompanying information detail violations that include:

• The unauthorized access by an employee to the records of more than 24,000 patients over a five-year period (the employee admitted to selling the records of more than 2,000 patients for purposes of identity theft).
• The unauthorized access by staff members to protected health information about a professional athlete who received services at the health system (with some of that information revealed in the media).
• The loss of certain patient records.
• The failure to conduct adequate risk assessments, undertake appropriate measures to manage risks that were identified, and review logs that might have shown inappropriate access to information.
• The failure to implement and maintain adequate policies and procedures to respond to breaches and the failure to report breaches timely and fully.

Significantly, this case did not involve a settlement between OCR and the health system. The health system did engage with OCR during the course of the investigation but ultimately chose to accept the civil monetary penalty. As a result, the materials do not include a specific corrective action plan under OCR supervision. The materials do identify measures that the health system has taken to improve its privacy and security programs.

Settlement agreements typically provide limited information. By contrast, the notices published in this case provide not only details about the health system’s violations but information about how OCR determined the amount to assess in civil monetary penalties. It considered various factors, including the nature and extent of the violations and the harm resulting from those violations, the history of the health system’s compliance, the health system’s financial condition, and the health system’s cooperation in the investigation. OCR also took into account the health system’s mitigating and corrective actions.

The size of the civil monetary penalty could have been larger. OCR chose to group violations into three broad categories relating to failures in the security management process, information access management, and the provision of notice to HHS. It viewed the first two of these failures as attributable to reasonable cause. New limits cap penalties for matters arising from reasonable cause at $100,000 per year. As a result, most of the civil monetary penalty in this case is attributable to the health system’s failure to provide OCR with timely and accurate notice of a breach caused by a loss of paper records. OCR viewed this failure as one of willful neglect; penalties were capped at $1.5 million even though this violation was seen as lasting only 31 days.

The materials published by OCR serve as a warning about issues that might arise, especially as it relates to implementation of policies designed to prevent and detect HIPAA violations. They also show OCR is prepared to both impose significant civil monetary penalties and temper the amount of those penalties, even in situations that do not involve a formal settlement agreement.