Jackson Health System: OCR Proposed Determination (July 22, 2019); OCR Final Determination (Oct. 15, 2019); HHS Press Release (Oct. 23, 2019)
HHS’s Office for Civil Rights (OCR) has announced a $2.15 million civil monetary penalty against a hospital system for multiple violations of the HIPAA security and breach notification rules. OCR opened a compliance review in response to multiple media reports that disclosed PHI of a hospital patient who was a well-known professional football player, including photographs of an electronic display in an operating room and a paper schedule containing PHI. Over the course of its investigation, OCR identified the following HIPAA violations:
Security Rule. Although the hospital conducted several risk analyses, they were deficient because they failed to include all PHI created, received, maintained, or transmitted by the hospital; did not identify all threats and vulnerabilities in the hospital’s information systems; and erroneously stated that certain security rule provisions were inapplicable. The hospital also violated the risk management implementation specification by failing to remediate risks, threats, and vulnerabilities identified in the risk analyses, including some classified as “high risk.” Moreover, despite having the capability to create audit logs and access reports for systems containing PHI, the hospital did not regularly review those reports and failed to detect that an unauthorized employee impermissibly accessed—and apparently sold—PHI of more than 24,000 individuals for over five years. Other employees were able to access patients’ PHI after they no longer had a job-related reason to do so.
Breach Notification Rule. After becoming aware of the loss of paper records containing PHI of more than 1,400 individuals, the hospital missed the deadline for submitting breach notifications to OCR by at least 160 days. Even then, the notification failed to account for some affected individuals, and a corrective addendum was not filed until more than three years later.
In its proposed penalty assessment, OCR applied the “reasonable cause” penalty tier to the security rule violations, with penalties of $1,000 per day. OCR applied the “willful neglect—uncorrected” penalty tier to the breach notification violations, with penalties of $50,000 per day. After applying the calendar-year cap for identical violations, the proposed penalty amounted to $2,154,000. The penalty became final after the hospital waived its right to contest OCR’s findings.
EBIA Comment: This announcement highlights the potential consequences of HIPAA noncompliance, even as several factors combined to limit the final penalty amount. First, OCR’s revised interpretation of the calendar-year penalty caps (see our Checkpoint article) reduced the assessment by over $1.1 million. Second, the six-year statute of limitations precluded penalties for part of the noncompliance period. And, third, OCR did not assess a penalty under the privacy rule despite finding that the hospital failed to make reasonable efforts to limit access to workforce members who need to access PHI to carry out their job duties. For more information, see EBIA’s HIPAA Portability, Privacy & Security manual at Sections XX.D (“Resolution Agreements”), XXV (“Breach Notification for Unsecured PHI”), and XXX.B (“Administrative Safeguards”). You may also be interested in our webinar “Nuts and Bolts of HIPAA Uses and Disclosures” (recorded on 7/25/19).
Contributing Editors: EBIA Staff.