Last week, the U.S. Department of Health and Human Services Office for Civil Rights (“OCR”) imposed a civil monetary penalty (“CMP”), to the tune of $2.15 million, against Jackson Health System (“JHS”).  The CMP stemmed from JHS’ numerous HIPAA violations that occurred from 2013 through 2016.  

JHS’ HIPAA violations ran the gamut, from lost paper records, to impermissible media disclosures, to violations of the minimum necessary rule, to a rogue employee selling patients’ protected health information (“PHI”).  OCR’s Director, Roger Severino, noted that JHS’ “HIPAA compliance program . . . had been in disarray for a number of years.”

With regard to the lost paper records, in August 2013, JHS submitted a breach report to OCR, notifying OCR that it lost paper records that contained the protected health information (“PHI”) of over 700 patients.  However, subsequent to making the report, upon its own internal investigation, JHS discovered that it had lost three additional boxes of paper records in December 2012.  JHS did not report this loss to OCR until June 2016, even though this breach doubled the number of affected patients.

In June 2015, OCR initiated an investigation against JHS after it discovered that a reporter shared a photo of a JHS operating room screen that contained a patient’s PHI.  After this publication, JHS discovered that two of its employees violated the minimum-necessary rule, accessing this patient’s record without having a job-related purpose.

In February 2016, JHS experienced the most egregious of its HIPAA violations.  JHS submitted a breach report to OCR indicating that a JHS employee inappropriately accessed over 24,000 patient records and had been selling patients’ PHI.

Through OCR’s investigation of the above incidents, it uncovered that JHS failed to provide timely breach response, did not conduct enterprise-wide risk analyses, did not perform audits of system activity, and did not have any restrictions in place to prevent workforce members’ access to patients’ electronic PHI.

There are some important takeaways from this latest OCR enforcement action.  First, covered entities and business associates, both large and small, should take time to conduct an overall assessment of their HIPAA compliance programs.  Second, organizations should ensure that they audit employee access, focusing on those records where there is not likely to be a job-related purpose (e.g. persons in the media, co-workers, family members).  Third, covered entities should implement reasonable restrictions to prevent classes of workforce members from impermissibly accessing PHI.  Lastly, covered entities should take care when interacting with the media, to ensure that there are no inadvertent disclosures of PHI without a proper HIPAA authorization from the patient.

If you have any questions or need assistance with policy and procedure drafting or review, please contact Stephanie S. Sobkowiak at 203.772.7782 or ssobkowiak@murthalaw.com or Daniel J. Kagan, at 203.772.7726 or dkagan@murthalaw.com.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Daniel J. Kagan Daniel J. Kagan

Dan Kagan is an Associate in the Health Care, Long Term Care and Privacy and Cybersecurity Groups. He represents hospitals, physicians, nursing homes, assisted living communities, CCRCs and other health care clients with a wide range of regulatory, compliance, risk management, transactional and…

Dan Kagan is an Associate in the Health Care, Long Term Care and Privacy and Cybersecurity Groups. He represents hospitals, physicians, nursing homes, assisted living communities, CCRCs and other health care clients with a wide range of regulatory, compliance, risk management, transactional and reimbursement issues.

With regard to Privacy and Cybersecurity, Dan has experience drafting privacy policies and notices, website terms of use, written information security plans and incident response plans.  Dan counsels clients on compliance issues related to state, federal and international privacy laws including the General Data Protection Regulation (GDPR).  Dan also has experience representing both health care and non-health care clients that have suffered data breaches and assists such clients with breach response and applicable reporting obligations.  Dan writes extensively on privacy and cybersecurity issues and is a co-editor of Murtha’s Privacy and Cybersecurity Perspectives blog.

As a member of the Health Care and Long Term Care groups, Dan has experience representing clients with HIPAA compliance, Stark and anti-kickback analyses, purchase and sale transactions, reviewing and drafting contracts, certificate of need requirements, rate appeals, Medicare and Medicaid audits, medical staff and credentialing matters, licensing and change of ownership proceedings.

Prior to joining Murtha Cullina, Dan clerked for the Honorable Lubbie Harper, Jr. and the Honorable Joseph H. Pellegrino of the Connecticut Appellate Court.

Dan received his J.D. with honors from the University of Connecticut School of Law where he was a Notes and Comments Editor for the Connecticut Insurance Law Journal. He earned his Bachelor of Arts in Economics from McGill University.