The Office for Civil Rights (OCR) announced on October 23, 2019, that Jackson Health System (“Jackson”), a not for profit hospital system comprised of six hospitals, urgent care centers, nursing facilities and primary care and specialty services based in Miami, Florida, has waived its right to a hearing and did not contest the findings set forth in the OCR’s Notice of Proposed Determination and agreed to pay the full civil monetary penalty assessed by OCR. This unusual step means that Jackson agreed to pay the full fine proposed by OCR in the amount of $2.15 million.

According to the OCR, Jackson notified the OCR in 2013 that paper records of 256 patients located in three boxes were lost in 2012. It thereafter reported in 2016 that the loss was actually of 1,436 patient records.

On top of that, in July 2015, the OCR started an investigation against Jackson after a media report that “disclosed the PHI of a JHS patient.” A reporter “shared a photograph of a JHS operating room screen containing the patient’s medical information on social media. JHS subsequently determined that two employees had accessed this patient’s electronic medical records without a job-related purpose.”

JHS then submitted a breach report to OCR in February 2016 that an employee had inappropriately accessed 24,000 patients’ records since 2011 and had been selling some patient records.

According to the OCR, its investigation found that Jackson “failed to provide timely and accurate breach notification” to the OCR, failed to conduct risk analyses, regularly review information system activity records or restrict workforce members’ access to protected health information. However, the Notice of Proposed Determination indicates that Jackson provided risk analyses conducted by third parties dated 2014, 2015, 2016, and 2017 and internal assessment from 2009, 2012, and 2013. The OCR noted that Jackson “did not remediate the risks, threats and vulnerabilities identified specifically by the 2014 risk analysis to a reasonable and appropriate level” and could not provide documentation that they responded to the recommendations of the third party. The OCR reviewed each risk analysis and Jackson’s response, which is detailed in the Notice of Proposed Determination.

If you have never seen a Notice of Proposed Determination before, take a look at this one as it is a clear roadmap on how the OCR requests information from covered entities during an investigation, how it makes judgments based upon the documents provided and the covered entity’s response to the risk analyses, and how it determines computation of monetary fines and penalties. This is a rare look inside an OCR enforcement action that those of you who have never been involved in an OCR enforcement action should pay attention to and take note of for compliance efforts. The operative word here is “document, document, document.” The Notice of Proposed Determination is a roadmap of failings that are not unique to large systems and can be used as a substantive learning tool. One of the primary lessons from this case is to perform risk analyses, have a plan to respond to the risk analyses depending on the level of risks identified, and document that response. Putting the risk analysis on the shelf is really hard to defend.

OCR stated that its “investigation revealed a HIPAA compliance program that had been in disarray for a number of years.”