In October 2019, the Department of Health & Human Services Office for Civil Rights (OCR) announced the second-ever civil money penalty in the history of Health Insurance Portability and Accountability Act (HIPAA) enforcement. Specifically, OCR imposed a $2.15 million civil money penalty against Jackson Health System (JHS), a nonprofit academic medical system, for various HIPAA violations dating back to 2011.
The action against JHS followed a series of reported breaches of protected health information (PHI) from 2013, 2015, and 2016. Collectively, the facts underlying JHS’s string of incidents reads like a greatest hits of breaches: lost records, celebrity snooping and improper disclosure of PHI, and electronic PHI that was stolen and sold by a bad actor employee.
Specifically, JHS reported a patient data breach in 2013 related to lost paper records containing 756 patients’ PHI. JHS later discovered that an additional three boxes of records, containing another 680 patients’ records, were also missing, but failed to report this breach until three years later. JHS’s HIPAA challenges continued when several media reports revealed that an NFL player’s PHI was impermissibly disclosed in July 2015. Similar to other matters involving celebrities, JHS discovered that two of its employees had accessed the football player’s health information “without a job-related purpose,” and leaked photographs containing PHI to the media. Finally, following an internal investigation, JHS reported that an employee had been accessing and selling over 24,000 patients’ PHI without authorization since 2011. Notably, OCR launched its investigation into JHS’s overall HIPAA compliance in October 2015, prior to JHS’s discovery and disclosure of its biggest breach yet.
Ultimately, “OCR’s investigation revealed a HIPAA compliance program that had been in disarray for a number of years,” according to the OCR Director Roger Severino. Specifically, OCR found that JHS failed: “to provide timely and accurate breach notification to the Secretary of HHS, conduct enterprise-wide risk analyses, manage identified risks to a reasonable and appropriate level, regularly review information system activity records, and restrict authorization of its workforce members’ access to patient electronic PHI to the minimum necessary to accomplish their job duties.” Additionally, OCR determined that JHS did not remediate risks, threats, and vulnerabilities to a reasonable and appropriate level. Collectively, JHS failed to implement accurate risk analysis, which in turn impacted its risk management and security measures. Based on this array of non-compliance, OCR issued a Notice of Proposed Determination, which led to the imposition of civil money penalties of $2.15 million.
By ending up with civil money penalties, JHS’s case was a HIPAA anomaly. Indeed, unlike the overwhelming majority of other entities that have been the subject of alleged HIPAA violations, JHS elected neither to contest the OCR’s findings in a hearing nor to enter a settlement agreement in lieu of admitting wrong-doing. To be sure, when OCR disclosed the JHS matter, there were over 60 publically-announced HIPAA settlements and only one civil money penalty case, the Cignet Health of Prince George’s County matter in 2011.
With this enforcement action, the OCR has reaffirmed its willingness to impose HIPAA penalties based on actual determinations of violations rather than just accept settlement deals. Beyond that, this case reiterates the themes at the heart of nearly all publically-disclosed HIPAA enforcement matters: there are significant risks when entities fail to take additional compliance measures after one or more impermissible uses or disclosures of PHI have occurred. Indeed, it appears that the OCR expects all covered entities to engage in a refreshed security risk assessment exercise on the heels of any breach. Of course, additional workforce training and updating of policies and procedures should also occur as part of an entity’s post-breach action plan.