Florida Health System Slapped With $2.1 Million HIPAA PenaltyRegulators Say Case Involved Series of Violations
Last week, federal regulators hinted about a pending multi-million-dollar penalty in a HIPAA enforcement case. On Wednesday, the Department of Health and Human Services revealed that it has smacked a Florida healthcare provider with $2.1 million civil monetary penalty for a series of HIPAA violations.
HHS’ Office for Civil Rights says it imposed the penalty against Miami-based Jackson Health System for a variety of violations of the HIPAA security and breach notification rules between 2013 and 2016.
Jackson Health System is a nonprofit academic medical system that operates six hospitals, a network of urgent care centers, primary care and specialty care centers, long-term care nursing facilities and corrections health services clinics.
A Rare Case
The case is one of only a handful in which the nation’s HIPAA enforcement agency imposed a civil monetary penalty, rather than reach a settlement that calls for corrective action and typically includes a smaller fine.
Ordinarily an organization receiving notice from OCR of a proposed civil money penalty will attempt to negotiate a resolution agreement and corrective action plan, notes privacy attorney David Holtzman of security consulting firm CynergisTek.
”Often the penalty amount of the resolution agreement can be a significant discount to the amount sought in the civil monetary penalty. Sometimes the administrative burden and expense to mitigate the violations uncovered by OCR exceeds the amount that would be paid through paying the full amount of the penalty,” he says. “Resolving the HIPAA violations found by OCR through payment of the civil monetary penalty requires no further corrective action or monitoring.”
The HIPAA violations included the delayed reporting of lost boxes containing patients’ paper records, the unauthorized disclosure of a patient’s protected health information to a journalist and an employee inappropriately accessing and selling patients’ PHI.
OCR’s investigation into the incidents also identified numerous security shortcomings, including failure to: conduct enterprisewide risk analyses, manage identified risks to a reasonable and appropriate level, regularly review information system activity records, and restrict authorization of its workforce members' access to patient ePHI to the minimum necessary to accomplish their job duties.
"OCR's investigation revealed a HIPAA compliance program that had been in disarray for a number of years," OCR Director Roger Severino said in the statement. "This hospital system's compliance program failed to detect and stop an employee who stole and sold thousands of patient records, lost patient files without notifying OCR as required by law and failed to properly secure PHI that was leaked to the media."
Each of the Jackson Health System incidents cited by OCR “had a common thread that indicated that the organization lacked a culture of compliance,” Holtzman says. ”Just as we have seen in other OCR enforcement actions, their investigation looks at an information security incident that results in a breach as a symptom of larger issues that indicate general failures to have appropriate safeguards in place."
OCR found a systemic failure across the Jackson Health System in which there had been a lack of attention to putting into place basic safeguards for electronic protected health information, he says.
Jackson Health System waived its right to a hearing and did not contest OCR’s findings, and it has paid the penalty, OCR says.
Privacy attorney Kirk Nahra of the law firm WilmerHale notes that over the years, OCR has tended to focus on certain types of HIPAA enforcement cases.
“These most typically have included egregious failures, particularly in an overall program; repeated problems - not fixing earlier problems or repeat investigations; and ‘send a message [to others]’ cases,” he says.
Severino’s comment about Jackson Health System’s compliance program being in “disarray,” seem to put this case into the category of egregious failures, Nahra notes.
The vast majority of OCR’s HIPAA enforcement cases have involved resolution agreements featuring financial settlements and corrective action plans. The agency has tended to issue civil monetary penalties in only its most egregious HIPAA enforcement cases.
To date, OCR has issued more than 60 HIPAA settlements and only five civil monetary penalties in HIPAA enforcement actions, including the Jackson Health System case.
The Jackson Health System case is OCR’s sixth HIPAA enforcement action so far this year.
OCR has focused on unauthorized public disclosure of patient PHI to media outlets in several previous enforcement cases, Nahra notes (see: A Strong Message on Improper PHI Disclosure to News Media).
Those other cases includes settlements last year totaling $1 million with three Boston hospitals - Massachusetts General and Brigham & Women's and Boston Medical Center - for allowing crews for the documentary TV show "Save My Life: Boston Trauma" to film on their premises in 2014 and 2015 without obtaining authorization from patients (see: Hospitals Fined $1 Million After TV Crews Film Patients).
In as similar case, OCR signed a $2.2 million settlement with New York-Presbyterian Hospital in connection with the filming of a related ABC News documentary TV show, "NY Med."
In a case involving the unauthorized disclosure of patient PHI on a social media site, OCR signed a $10,000 HIPAA settlement last month with Elite Dental Associates of Dallas.
”One of the recent areas of OCR attention has been public disclosures of PHI in the context of media discussions,” Nahra notes. “That’s clearly an important area. As with any OCR case, there’s always a checklist of problems that companies should be reviewing to make sure they hare handling these areas well.”
Jackson Health System's Violations
OCR in its statement notes that on Aug. 22, 2013, Jackson Health System submitted a breach report to OCR stating that its health information management department had lost paper records containing the PHI of 756 patients in January of that year.
The health system’s internal investigation determined that three other boxes of patient records were also lost in December 2012. But the organization not report the additional loss or the increased number of individuals affected until June 7, 2016, OCR says.
In July 2015, OCR initiated an investigation following a news media report that disclosed the PHI of a Jackson Health patient. “A reporter had shared a photograph of a JHS operating room screen containing the patient's medical information on social media. JHS subsequently determined that two employees had accessed this patient's electronic medical record without a job-related purpose,” OCR says.
Then on Feb. 19, 2016, the health system submitted a breach report to OCR reporting that an employee had been selling patient PHI. The employee had inappropriately accessed over 24,000 patients' records since 2011, OCR says (see: Why Detecting Insider Breaches is So Challenging).
Health System Reacts
In a statement provided to Information Security Media Group, the health system says: "Protecting patient privacy is a top priority at Jackson Health System, and we're disappointed whenever we fall short of our high expectations.”
The health system cooperated fully with the investigation and has taken extensive steps to upgrade its software, procedures, and staff training regarding privacy protections, the statement says. “Jackson Health recognized and reported this because strong organizations like ours admit their errors clearly, learn from them thoughtfully and take decisive action to prevent them in the future."
Lessons to Learn
Privacy attorney Iliana Peters of the law firm Polsinelli says other organizations can learn lessons from OCR’s case against Jackson Health System.
”The most important lesson for the regulated community to learn is that OCR will proceed to civil monetary penalties where willful neglect is indicated, and that when regulated entities file breach reports with OCR, they should be prepared to get their compliance house in order, so that … OCR can take such efforts into consideration when calculating any civil money penalties.”