Following on the heels of a few relatively small HIPAA settlements, the U.S. Department of Health and Human Services Office of Civil Rights (OCR) announced that it has imposed $2,154,000 in civil monetary penalties against Jackson Health System in Florida for its failure to meet HIPAA privacy and security requirements. The OCR announcement and accompanying information detail violations that included:
- The unauthorized access by an employee to the records of more than 24,000 patients over a five-year period (the employee admitted to selling protected health information of more than 2,000 patients for purposes of identity theft).
- The unauthorized access by staff members to protected health information about a professional athlete who received services at the health system (with some of the information revealed on public media).
- The loss of certain patient records.
- The failure to conduct adequate risk assessments, undertake appropriate measures to manage risks that were identified, and review logs that might have shown inappropriate access to information.
- The failure to implement and maintain adequate policies and procedures to respond to breaches and the failure to report breaches timely and fully.
Significantly, this case did not involve a settlement between OCR and the health system. The health system did engage with OCR in the course of the investigation, but ultimately chose to accept the civil monetary penalty. As a result, the materials do not include a specific corrective action plan for the health system to follow under OCR supervision. The materials do identify measures that the health system has undertaken to improve its privacy and security programs.
Settlement agreements typically provide limited information. By contrast, the notices published in this case provide not only details about the health system’s violations, but information about how OCR determined the amount to assess in civil monetary penalties. It considered various factors, including the nature and extent of the violations and the harm resulting from those violations, the history of the health system’s compliance, and the health system’s financial condition and cooperation in the investigation. OCR also took into account the health system’s mitigating and corrective actions.
Notwithstanding the size of the civil monetary penalty, it could have been larger. OCR chose to group violations into three broad categories, relating to failures in the security management process, information access management, and the provision of notice to HHS. It viewed the first two of these failures as attributable to reasonable cause. New limits cap penalties for any one type of violation arising from reasonable cause at $100,000 per year. As a result, most of the civil monetary penalty in this case is attributable to the health system’s failure to provide OCR with timely and accurate notice of a breach caused by a loss of paper records. OCR viewed this failure as one of willful neglect, for which penalties were capped at $1.5 million, even though this violation was seen as lasting only 31 days.
The materials published by the OCR serve as a warning about issues that might arise, particularly with regard to the implementation of policies designed to prevent and detect HIPAA violations. They also provide insight into how OCR is prepared to both impose significant civil monetary penalties and temper the amount of those penalties, even in situations that do not involve a formal settlement agreement.