OCR Hits Health System with $2.2M Fine for HIPAA Violations

Ballard Spahr LLP

Ballard Spahr LLP

The U.S. Department of Health and Human Services Office of Civil Rights (OCR) imposed $2,154,000 in civil monetary penalties against Jackson Health System in Florida for failing to meet HIPAA privacy and security requirements. The OCR announcement and accompanying information detail violations that include:

  • The unauthorized access by an employee to the records of more than 24,000 patients over a five-year period (the employee admitted to selling the records of more than 2,000 patients for purposes of identity theft).
  • The unauthorized access by staff members to protected health information about a professional athlete who received services at the health system (with some of that information revealed in the media).
  • The loss of certain patient records.
  • The failure to conduct adequate risk assessments, undertake appropriate measures to manage risks that were identified, and review logs that might have shown inappropriate access to information.
  • The failure to implement and maintain adequate policies and procedures to respond to breaches and the failure to report breaches timely and fully.

Significantly, this case did not involve a settlement between OCR and the health system. The health system did engage with OCR during the course of the investigation but ultimately chose to accept the civil monetary penalty. As a result, the materials do not include a specific corrective action plan under OCR supervision. The materials do identify measures that the health system has taken to improve its privacy and security programs.

Settlement agreements typically provide limited information. By contrast, the notices published in this case provide not only details about the health system’s violations but information about how OCR determined the amount to assess in civil monetary penalties. It considered various factors, including the nature and extent of the violations and the harm resulting from those violations, the history of the health system’s compliance, the health system’s financial condition, and the health system’s cooperation in the investigation. OCR also took into account the health system’s mitigating and corrective actions.

The size of the civil monetary penalty could have been larger. OCR chose to group violations into three broad categories relating to failures in the security management process, information access management, and the provision of notice to HHS. It viewed the first two of these failures as attributable to reasonable cause. New limits cap penalties for matters arising from reasonable cause at $100,000 per year. As a result, most of the civil monetary penalty in this case is attributable to the health system’s failure to provide OCR with timely and accurate notice of a breach caused by a loss of paper records. OCR viewed this failure as one of willful neglect; penalties were capped at $1.5 million even though this violation was seen as lasting only 31 days.

The materials published by OCR serve as a warning about issues that might arise, especially as it relates to implementation of policies designed to prevent and detect HIPAA violations. They also show OCR is prepared to both impose significant civil monetary penalties and temper the amount of those penalties, even in situations that do not involve a formal settlement agreement.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Ballard Spahr LLP | Attorney Advertising

Written by:

Ballard Spahr LLP

Ballard Spahr LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.