The Office for Civil Rights (OCR) announced on October 23, 2019, that Jackson Health System (Jackson), a not-for-profit hospital system comprised of six hospitals, urgent care centers, nursing facilities, and primary care and specialty services based in Miami, Florida, has waived its right to a hearing and did not contest the findings set forth in the OCR’s Notice of Proposed Determination (NPD), and has agreed to pay the full civil monetary penalty assessed by OCR. This unusual step means that Jackson will pay the full fine of $2.15 million.

According to the OCR, Jackson notified the OCR in 2013 that paper records of 256 patients’ personal health information (PHI) located in three boxes were lost in 2012. It thereafter reported in 2016 that the loss was actually 1,436 patient records.

On top of that, in July of 2015, the OCR started an investigation into Jackson after a media report that “disclosed the PHI of a JHS patient.” A reporter “shared a photograph of a JHS operating room screen containing the patient’s medical information on social media. JHS subsequently determined that two employees had accessed this patient’s electronic medical records without a job-related purpose.”

Jackson then submitted a breach report to OCR in February 2016 stating that since 2011 an employee had inappropriately accessed 24,000 patients’ records and had been selling some of those records.

According to the OCR, its investigation found that Jackson “failed to provide timely and accurate breach notification” to the OCR, failed to conduct risk analyses, regularly review information system activity records, or restrict workforce members’ access to protected health information. However, the NPD indicates that Jackson provided risk analyses conducted by third parties dated 2014, 2015, 2016, and 2017, and internal assessments from 2009, 2012 and 2013. The OCR noted that Jackson “did not remediate the risks, threats and vulnerabilities identified specifically by the 2014 risk analysis to a reasonable and appropriate level” and could not provide documentation that it had responded to the recommendations of the third party. The OCR reviewed each risk analysis and Jackson’s response, which is detailed in the NPD.

If you have never seen a Notice of Proposed Determination before, take a look at this one as it is a clear roadmap of how the OCR requests information from covered entities during an investigation, how it makes judgments based upon the documents provided and the covered entity’s response to the risk analyses, and how it determines the computation of monetary fines and penalties. This is a rare look inside that those of you who have never been involved in an OCR enforcement action should pay attention to and take note of for compliance efforts. The operative word here is “document, document, document.” The NPD is a roadmap of failings that are not unique to large systems and can be used as a substantive learning tool. One of the primary lessons from this case is to perform risk analyses, have a plan to respond to the risk analyses depending on the level of risks identified, and document that response. Putting the risk analysis on the shelf is difficult to defend.

OCR stated that its “investigation revealed a HIPAA compliance program that had been in disarray for a number of years.”