Jessica Kim Cohen October
24, 2019
A Florida health system has paid
$2.1 million to HHS' Office for Civil Rights in one of the biggest HIPAA fines
this year.
The OCR imposed the fine on Jackson
Health System, an academic health system based in Miami, after an investigation
revealed three separate HIPAA violations since 2013. Jackson Health System
waived its right to a hearing and did not contest the OCR's findings. It has
already paid the civil money penalty in full, according to the OCR.
"OCR's investigation revealed
a HIPAA compliance program that had been in disarray for a number of
years," OCR Director Roger Severino said in a statement Thursday.
The largest data breach, which
Jackson Health System reported to the OCR in 2016, involved an employee
inappropriately accessing—and sometimes selling—more than 24,000 patients'
records, beginning in 2011. An OCR investigation found the health system had
failed to provide timely breach notification to HHS and to appropriately
restrict employees' access to patient data, among other issues.
The other two HIPAA violations
involved a leak of patient health information to the media and a loss of paper
records.
In 2015, the OCR began an
investigation after a reporter shared a photograph that included an operating
room screen containing a patient's medical information on social media. As a
result of the investigation, Jackson Health System determined that two
employees had inappropriately accessed the patient's electronic medical record.
In 2013, Jackson Health System
reported to the OCR that its health information management department had lost
paper records of 756 patients earlier that year. An internal investigation at
Jackson Health System later revealed that an additional three boxes of patient
records were lost in late 2012, but the health system did not report the
increase in affected patients until 2016.
"This hospital system's
compliance program failed to detect and stop an employee who stole and sold
thousands of patient records; lost patient files without notifying OCR as
required by law; and failed to properly secure PHI that was leaked to the
media," Severino said.
Jackson Health System said it has
taken steps to upgrade its software, procedures and staff training related to
privacy.
"Protecting patient privacy is
a top priority at Jackson Health System, and we're disappointed whenever we
fall short of our high expectations," a spokesperson for the health system
said. "Jackson recognized and reported this because strong organizations
like ours admit their errors clearly, learn from them thoughtfully, and take
decisive action to prevent them in the future."
Jackson Health System's fine marks
one of the OCR's largest settlements this year.
Touchstone Medical Imaging agreed to pay the OCR $3 million in
May, marking the largest HIPAA fine announced by the OCR in 2019. The
diagnostic medical imaging services company allegedly exposed more than 300,000
patients' protected health information by not adequately restricting access to
information on one of its servers.
No comments:
Post a Comment