October 31, 2019

OCR Issues $2.15 Million Civil Monetary Penalty Against Academic Medical System

On October 23, OCR imposed a civil monetary penalty of $2.15 million against Jackson Health System (JHS), a nonprofit academic medical system, for multiple alleged instances of HIPAA noncompliance from 2013 to 2016. In August 2013, JHS submitted a breach notification to OCR, disclosing that in January, 2013, JHS had lost paper records containing PHI. An internal investigation revealed that additional records were lost in December 2013, but JHS did not report that additional loss to OCR until 2016. In 2015, OCR initiated an investigation following publication of a photo on social media showing PHI on an operating room computer screen. Finally, JHS submitted a breach report in 2016 because an employee was found selling PHI. JHS did not contest the OCR findings, waived its right to a hearing, and paid the full penalty.