The U.S. Department of Health and Human Services Office of Civil Rights (OCR) imposed $2,154,000 in civil and monetary penalties on a health system for HIPAA violations.
OCR determined that Jackson Health System in Florida failed multiple HIPAA privacy and security requirements. In determining the amount of penalties to assess, OCR took into consideration many factors, including the nature and extent of the violations, the harm resulting from the violations, the organization’s steps for mitigation and correction, the organization’s compliance history and the organization’s financial condition.
The HIPAA violations included an employee’s unauthorized access to patient records (more than 24,000 records) over a five-year period during which the employee admitted to selling information for purposes of identity theft. Another violation was unauthorized access to and use of health information about a professional athlete, and loss of patient records.
OCR grouped the violations into three groups and looked at the groups of issues separately when assessing penalties. Organizations must make sure to keep their HIPAA policies and procedures up to date and ensure workforce compliance HIPAA requirements.