Miami-based Jackson Health System paid a $2.2 million civil penalty levied by the U.S. Department of Health and Human Services for multiple security and privacy breaches—including those of an NFL player—that occurred between 2013 and 2016.
Jackson Health System is a nonprofit academic medical system operating six major hospitals, a network of urgent care centers, multiple primary care and specialty care centers, long-term care nursing facilities and corrections health services clinics.
According to a release, OCR initiated an investigation following a media report that disclosed the protected health information of a patient in July 2015. That month, an ESPN reporter posted a picture of a medical record for New York Giants defensive end Jason Pierre-Paul on Twitter, according to the Miami Herald. Pierre-Paul had his right index finger amputated at the hospital following a Fourth of July fireworks accident in Miami.
"JHS subsequently determined that two employees had accessed this patient's electronic medical record without a job-related purpose," OCR said.
OCR's enforcement action against the health system also stems from a patient data breach in 2013 related to lost paper records. According to OCR, in August 2013, the health system submitted a breach report to OCR stating that its Health Information Management Department had lost paper records containing the protected health information of 756 patients in January 2013.
The health system's internal investigation determined that an additional three boxes of patient records were also lost in December 2012; however, Jackson Health did not report the additional loss or the increased number of individuals affected until June 2016, OCR said.
"OCR's investigation revealed a HIPAA compliance program that had been in disarray for a number of years," OCR Director Roger Severino said in a statement.
The health system's issues with protecting patient data continued when Jackson Health reported to OCR in February 2016 that an employee had been selling patients' protected health information. That incident led to criminal charges against that employee, Evelina Sophia Reid.
In February 2017, the U.S. Attorney’s Office for the Southern District of Florida charged Reid, an employee at Jackson Health since 2005, with identity theft, alleging that she stole approximately 24,000 patient records from the hospital’s computer over a five-year period and gave the information to co-conspirators who filed fraudulent tax returns.
"This hospital system's compliance program failed to detect and stop an employee who stole and sold thousands of patient records; lost patient files without notifying OCR as required by law; and failed to properly secure PHI that was leaked to the media," Severino said.
"OCR's investigation revealed that JHS failed to provide timely and accurate breach notification to the Secretary of HHS, conduct enterprise-wide risk analyses, manage identified risks to a reasonable and appropriate level, regularly review information system activity records, and restrict authorization of its workforce members' access to patient ePHI to the minimum necessary to accomplish their job duties," the agency said.
JHS waived its right to a hearing and did not contest the findings in OCR's notice of proposed determination, OCR said, and the agency issued a notice of final determination (PDF). The health system has paid the full civil money penalty.