Jackson Health System (JHS) paid a civil money penalty of $2.15 million after having violated some of HIPAA’s provisions.

The case dates back to August 2013 when JHS submitted a breach report to the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services.

In its report, the Miami-based nonprofit academic medical system revealed that it had lost paper records containing the protected health information (PHI) of 756 patients back in January of that year.

At that time, JHS also knew it had lost three boxes of records containing the PHI of an additional 650 patients, though it didn’t report the incident’s expanded scope to the OCR until June 2016.

This revelation came several months after Jackson Health System submitted a breach report for another incident in which it determined that an employee had inappropriately accessed over 24,000 patients’ PHI since 2011 and then sold it.

This wasn’t the first time that OCR had learned of this type of activity involving JHS. In fact, it launched an investigation back in June 2015 after a media report disclosed the PHI of a JHS patient. Subsequently, the health system determined that two of its employees had accessed that particular patient’s PHI without a legitimate work-related purpose.

At the completion of its investigation, the OCR concluded that JHS had failed to abide by HIPAA’s Security and Breach Notification Rules between 2013 and 2016. OCR Director Roger Severino expanded upon the nature of this conclusion in a press release:

OCR’s investigation revealed a HIPAA compliance program that had been in disarray for a number of years. This hospital system’s compliance program failed to detect and stop an employee who stole and sold thousands of patient records; lost patient files without notifying OCR as required by law; (Read more...)