Jackson Health System (JHS), a not-for-profit medical system in Miami, entered a $2.15 million settlement with the OCR to resolve potential violations of the Security and Breach Notification Rules.
In January 2013, JHS lost paper records for 756 patients. JHS reported this breach to the OCR in August 2013. During its investigation, JHS learned that three additional boxes of records affecting 1,436 patients were lost in December 2012; and JHS reported this breach to the OCR in June 2016.
In February 2016, JHS notified the OCR that an employee inappropriately accessed 24,000 patient records since 2011, and sold some patient PHI.
Upon investigating, the OCR found:
- JHS did not provide timely and accurate breach notification (notification within 60 days is required by HIPAA)
- JHS did not conduct an enterprise-wide risk analysis or manage risks appropriately
- JHS did not perform information system activity review on a regular basis
- JHS failed to limit employee access to ePHI to the minimum necessary
What can we learn from this?
The OCR has entered five HIPAA settlements so far in 2019. Of these five settlements, three involved an insufficient HIPAA security risk analysis: Jackson Health System; Medical Informatics Engineering, Inc.; and Touchstone Medical Imaging.
The HIPAA security risk analysis is required by law; it is expected by the OCR; and it helps covered entities and business associates identify their security vulnerabilities and fix them - ideally before they amount to a newsworthy, multi-million dollar breach. If you have not conducted a risk analysis yet, or if it has been a year since your last analysis - or if your security environment or uses of PHI have changed since your last analysis - it's time.
Secondly, if your organization does not have breach notification policies and procedures in place, now is a good time establish them. Without these policies, breaches can slip throw the cracks, and notification deadlines can be missed.
Finally, use your HIPAA security risk analysis and policies to identify ways you can prevent and identify improper employee access to patient information. As the OCR points out in the JHS settlement, access limits can prevent theft (and snooping). And, regular information system activity review - which is required by the Security Rule - can help you identify improper activity before it amounts to theft or another form of breach.