Skip to main content

Nixon Peabody LLP

  • People
  • Capabilities
  • Insights
  • About
Trending Topics
    • People
    • Capabilities
    • Insights
    • About
    • Locations
    • Events
    • Careers
    • Alumni
    Practices

    View All

    • Affordable Housing
    • Community Development Finance
    • Corporate & Finance
    • Cybersecurity & Privacy
    • Entertainment & Media
    • Environmental
    • Franchising & Distribution
    • Government Investigations & White Collar Defense
    • Healthcare
    • Intellectual Property
    • International Services
    • Labor, Employment, and Benefits
    • Litigation
    • Private Wealth & Advisory
    • Project Finance
    • Public Finance
    • Real Estate
    • Regulatory & Government Relations
    Industries

    View All

    • Aviation
    • Cannabis
    • Consumer
    • Energy
    • Financial Services
    • Healthcare
    • Higher Education
    • Infrastructure
    • Manufacturing
    • Nonprofit Organizations
    • Real Estate
    • Sports & Stadiums
    • Technology
    Value-Added Services

    View All

    • Alternative Fee Arrangements

      Developing innovative pricing structures and alternative fee agreement models that deliver additional value for our clients.

    • Continuing Education

      Advancing professional knowledge and offering credits for attorneys, staff and other professionals.

    • Crisis Advisory

      Helping clients respond correctly when a crisis occurs.

    • DEI Strategic Services

      Providing our clients with legal, strategic, and practical advice to make transformational changes in their organizations.

    • eDiscovery

      Leveraging law and technology to deliver sound solutions.

    • Environmental, Social, and Governance (ESG)

      We help clients create positive return on investments in people, products, and the planet.

    • Global Services

      Delivering seamless service through partnerships across the globe.

    • Innovation

      Leveraging leading-edge technology to guide change and create seamless, collaborative experiences for clients and attorneys.

    • IPED

      Industry-leading conferences focused on affordable housing, tax credits, and more.

    • Legal Project Management

      Providing actionable information to support strategic decision-making.

    • Legally Green

      Teaming with clients to advance sustainable projects, mitigate the effects of climate change, and protect our planet.

    • Nixon Peabody Trust Company

      Offering a range of investment management and fiduciary services.

    • NP Capital Connector

      Bringing together companies and investors for tomorrow’s new deals.

    • NP Second Opinion

      Offering fresh insights on cases that are delayed, over budget, or off-target from the desired resolution.

    • NP Trial

      Courtroom-ready lawyers who can resolve disputes early on clients’ terms or prevail at trial before a judge or jury.

    • Social Impact

      Creating positive impact in our communities through increasing equity, access, and opportunity.

    • Women in Dealmaking

      We provide strategic counsel on complex corporate transactions and unite dynamic women in the dealmaking arena.

    1. Home
    2. Insights
    3. Articles
    4. OCR imposes $2 15 million fine against health system for multiple and significant HIPAA violations

      Articles

    Article

    OCR imposes $2 15 million fine against health system for multiple and significant HIPAA violations

    Nov 1, 2019

    LinkedInX (Twitter)EmailCopy URL

    By Jéna Grady

    On October 23, 2019, the Department of Health and Human Services Office for Civil Rights (OCR) announced that it had imposed a civil money penalty of $2,154,000 against Jackson Health System (JHS) for multiple HIPAA violations.

    On October 23, 2019, the Department of Health and Human Services Office for Civil Rights (OCR) announced that it had imposed a civil money penalty of $2,154,000 against Jackson Health System (JHS) for multiple HIPAA violations. JHS is a nonprofit academic medical system in Florida that provides health services to approximately 650,000 patients annually and employs about 12,000 individuals. What OCR evaluated to determine the civil money penalty of $2.15 million is discussed below and from OCR's notice of proposed determination to JHS.

    Improper disclosure of PHI of an NFL player and unauthorized access to PHI by employee leading to selling of PHI

    In July 2015, OCR started an investigation after a media report disclosed the PHI of an NFL player that was a JHS patient. OCR determined during its investigation that a nurse who treated the NFL player in the operating room continued to access his PHI thereafter even though she no longer had a reason to do so. Another employee also accessed the NFL player's PHI without authorization. While OCR recognized that JHS did sanction these employees, the employees' ability to have broad access demonstrated the lack of control of appropriate access to ePHI for employees.

    Furthermore, on January 4, 2016, JHS's Office of Compliance and Ethics was notified by an anonymous caller that an employee was selling patients' ePHI. It was determined by JHS that the employee had access to ePHI without proper authorization or authority to access for over five years and had inappropriately accessed over 24,000 patient records.

    OCR noted that based on the above, JHS failed to (i) implement procedures to regularly review audit logs and access reports to ensure there is proper access to ePHI and (ii) implement policies and procedures for granting access to ePHI so that JHS's workforce may only access the minimum necessary to fulfill their job duties.

    Failure to timely report to OCR lost patient records

    JHS had two incidents of lost patient records in December 2012 for 715 patients and January 2013 for 756 patients. While HIPAA requires a covered entity to report breaches of unsecured protected health information involving 500 or more individuals without unreasonable delay and in no case later than 60 calendar days after discovery of the breach, JHS did not submit a breach report to OCR until August 22, 2013 (meaning JHS was at least 160 days late to report the breach). Furthermore, the initial report to OCR only identified the January 2013 loss and JHS did not submit an addendum reflecting the December 2012 loss until June 7, 2016.

    OCR also noted that JHS's breach notification policy implemented in October 2013 does not include specific procedures for ensuring notification will be submitted to OCR as required by the Breach Notification Rule.

    Failure to conduct adequate risk assessments and implement security measures to identified risks and vulnerabilities as required by the Security Rule

    In response to several data requests from OCR, JHS provided OCR "risks analyses" for JHS that were conducted by third-party vendors every year from 2014–2017. OCR noted the following about the risks analyses:

    • Risks analyses conducted before 2017 erroneously stated that several provisions of the Security Rule were not applicable to JHS.
    • All failed to include all ePHI created, received, maintained, or transmitted by JHS and did not identify the totality of threats and vulnerabilities that existed in JHS's systems.
    • The 2017 risk analysis only included the main campus of JHS in the analysis.
    • Two risk analyses had blank sections.

    OCR noted that for the risk analyses provided, JHS did not remediate risks, threats, and vulnerabilities identified by the risk analyses to a reasonable and appropriate level as required by the Security Rule. Furthermore, "high risks" identified in 2014 and 2015 risk analyses still were identified as "high risks" in the 2016 risk analysis with no evidence from JHS to reduce these risks and vulnerabilities.

    Takeaways

    Covered entities can learn the following from OCR's notice of proposed determination:

    • It is not enough to have the capability to create audit logs and access reports for systems that contain ePHI. Records of information system activity need to be reviewed on a regular basis.
    • Have policies and procedures in place that address the Breach Notification Rule and include specific procedures for effectively providing notification under this Rule.
    • Conduct yearly risk assessments that include all ePHI created, received, maintained, or transmitted by the covered entity.
    • Review yearly completed risk assessments and identify and address threats and vulnerabilities that need to be remediated.

    OCR's press release about the civil money penalty against JHS can be found here.

    Practices

    Healthcare
    The foregoing has been prepared for the general information of clients and friends of the firm. It is not meant to provide legal advice with respect to any specific matter and should not be acted upon without professional counsel. If you have any questions or require any further information regarding these or other related matters, please contact your regular Nixon Peabody LLP representative. This material may be considered advertising under certain rules of professional conduct.

    Subscribe to stay informed of the latest legal news, alerts, and business trends.Subscribe

    • People
    • Capabilities
    • Insights
    • About
    • Locations
    • Events
    • Careers
    • Alumni
    • Cookie Preferences
    • Privacy Policy
    • Terms of Use
    • Accessibility Statement
    • Statement of Client Rights
    • Purchase Order Terms & Conditions
    • Nixon Peabody International LLC
    • PAL
    © 2025 Nixon Peabody. All rights reserved