Jackson Health Is Fined $2M for HIPAA Violations; CCO, PO Say Changes Have Been Made

In a case that includes the theft of electronic protected health information (ePHI) by an employee who now sits in a federal prison and the loss of paper medical records that wasn’t timely reported, Jackson Health System in Miami was fined $2.15 million for violating the HIPAA Security and Breach Notification regulations from 2013 to 2016, the HHS Office for Civil Rights (OCR) said Oct. 23. OCR contended that the health system’s security risk assessments were inadequate and that it didn’t implement policies and procedures to “prevent, detect, contain, and correct” its security violations, according to the notice of proposed determination, which has been finalized.

Things are different now, say Jackson Health System’s chief compliance officer and chief privacy officer. “It has been changing over time since I arrived,” Judy Ringholz, who has been chief compliance officer for three and a half years, tells RMC. The chief privacy officer, Blaine Kerr, who joined in 2017, has enhanced HIPAA compliance training and worked with the chief information security officer to hire a new security risk assessment vendor and implement user activity monitoring software. But they knew the OCR enforcement action was coming, although the breaches happened before their time.

“We’ve been waiting for the resolution,” Ringholz says. It wasn’t in the form of a resolution agreement, which is more common and typically means lower penalties but onerous compliance obligations and regular reporting to OCR. “Jackson elected to pay the civil money penalty rather than execute a settlement agreement,” she explains.

According to OCR’s notice of proposed determination, Jackson Health System, which includes six hospitals and primary and specialty clinics, submitted a breach notification report to OCR in August 2013 about the January 2013 loss of paper records from the health information management department for 756 patients, missing the 60-day deadline for reporting breaches to OCR. Subsequently, when an employee told a supervisor that two more boxes of paper records went AWOL—emergency room records affecting 500 patients—the supervisor didn’t tell security services, and it was never reported to OCR.

This document is only available to subscribers. Please log in or purchase access.


Would you like to read this entire article?

If you already subscribe to this publication, just log in. If not, let us send you an email with a link that will allow you to read the entire article for free. Just complete the following form.

* required field