• search
Helping Organizations Achieve HIPAA Compliance ™
Call Today: (800) 733-6379

HIPAA Compliance Blog

Helping Organizations Achieve HIPAA Compliance™ rss

Organizations Have as Much Responsibility to Safeguard Paper Records as Electronic Ones

Organizations Have as Much Responsibility to Safeguard Paper Records as Electronic Ones

by ih-coc admin

Organizations Have as Much Responsibility to Safeguard Paper Records as Electronic Ones

A Florida healthcare system has received one of the biggest HIPAA fines this year. Jackson Health System (JHS), an academic organization based in Miami, was penalized $2.1 million by HHS' Office for Civil Rights. An OCR investigation revealed three separate HIPAA violations since 2013. 

JHS, a nonprofit, serves around 650,000 patients a year in six major hospitals and a network of affiliated healthcare facilities. The penalty stands out, as it’s the first time one this large has been published in recent years, indicating JHS’ violations were pretty severe.

According to the Miami Herald, JHS waived its right to a hearing, paid the penalty and did not contest the findings of the investigation. Here are the three biggest violations the investigation found.

A massive data breach was not reported in time

JHS reported the largest data breach to the OCR back in 2016. The breach involved an employee inappropriately accessing - and apparently selling - more than 24,000 patients' records. (One of those records even included a patient who was an NFL player.) What’s worse, though, is that the breaches had been happening since 2011. OCR’s investigation found the health system had failed to provide timely breach notification to HHS and to appropriately restrict employees' access to patient data, among other issues. Additionally, criminal charges were brought against the employee in question.

A reporter’s photograph started another investigation

In 2015, a reporter shared on social media a photograph that included an operating room screen containing a patient's medical information. This photograph prompted yet another separate investigation by the OCR at the time. As a result of that investigation, it was determined two employees had inappropriately accessed the patient's electronic medical record.

Physical papers were lost

This third violation is something that really needs to be noted, because people sometimes forget physical paperwork is just as sensitive as digital records. In 2013, JHS reported to the OCR that its health information management department had lost paper records of 756 patients earlier that year. An internal investigation eventually revealed that an additional three boxes of patient records were lost in late 2012. To make matters worse, JHS did not report the increase in the number of patients affected until 2016. 

Civil monetary penalties under HIPAA are imposed under a tiered system that takes into consideration the degree to which the entity was aware that HIPAA Rules were being violated. We covered this pretty extensively in a previous blog. So, what does it mean when an organization is penalized to this extent? I think we all know the answer here. 

Here’s another question. Putting aside the “right” thing to do, which is the “easier” thing for your organization to do? Should you follow HIPAA guidelines and protect both digital and physical records (and thus the lives) of your patients and employees? Or should you plan for millions of dollars in penalties, along with a heck of a lot of bad press? At Colington Consulting, we’re here to help you do what’s easier and right.

Take Action Now

Does your organization have a fully implemented HIPAA Risk Management Plan that includes how to address protections for ePHI and PHI? If not, we can develop one for you as part of our comprehensive package of HIPAA services.  Give us a call today at 800-733-6379 or drop us an email at info@cchipaa.com for a free, initial consultation. 

Comments are closed.