A HIPAA Compliance Program “In Disarray” Leads to OCR Imposing a $2.15 Million Civil Monetary Penalty

Murtha Cullina

Last week, the U.S. Department of Health and Human Services Office for Civil Rights (“OCR”) imposed a civil monetary penalty (“CMP”), to the tune of $2.15 million, against Jackson Health System (“JHS”).  The CMP stemmed from JHS’ numerous HIPAA violations that occurred from 2013 through 2016.  

JHS’ HIPAA violations ran the gamut, from lost paper records, to impermissible media disclosures, to violations of the minimum necessary rule, to a rogue employee selling patients’ protected health information (“PHI”).  OCR’s Director, Roger Severino, noted that JHS’ “HIPAA compliance program . . . had been in disarray for a number of years.”

With regard to the lost paper records, in August 2013, JHS submitted a breach report to OCR, notifying OCR that it lost paper records that contained the protected health information (“PHI”) of over 700 patients.  However, subsequent to making the report, upon its own internal investigation, JHS discovered that it had lost three additional boxes of paper records in December 2012.  JHS did not report this loss to OCR until June 2016, even though this breach doubled the number of affected patients.

In June 2015, OCR initiated an investigation against JHS after it discovered that a reporter shared a photo of a JHS operating room screen that contained a patient’s PHI.  After this publication, JHS discovered that two of its employees violated the minimum-necessary rule, accessing this patient’s record without having a job-related purpose.

In February 2016, JHS experienced the most egregious of its HIPAA violations.  JHS submitted a breach report to OCR indicating that a JHS employee inappropriately accessed over 24,000 patient records and had been selling patients’ PHI.

Through OCR’s investigation of the above incidents, it uncovered that JHS failed to provide timely breach response, did not conduct enterprise-wide risk analyses, did not perform audits of system activity, and did not have any restrictions in place to prevent workforce members’ access to patients’ electronic PHI.

There are some important takeaways from this latest OCR enforcement action.  First, covered entities and business associates, both large and small, should take time to conduct an overall assessment of their HIPAA compliance programs.  Second, organizations should ensure that they audit employee access, focusing on those records where there is not likely to be a job-related purpose (e.g. persons in the media, co-workers, family members). Third, covered entities should implement reasonable restrictions to prevent classes of workforce members from impermissibly accessing PHI.  Lastly, covered entities should take care when interacting with the media, to ensure that there are no inadvertent disclosures of PHI without a proper HIPAA authorization from the patient.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Murtha Cullina | Attorney Advertising

Written by:

Murtha Cullina

Murtha Cullina on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.