Healthcare Systems Rack up Millions of Dollars in HIPAA Penalties

Several healthcare organizations recently have been the subject of HIPAA penalties totaling nearly $7 million.

On October 23, the U.S. Department of Health and Human Services Office for Civil Rights (OCR), announced it had imposed a civil money penalty of $2.154 million against Jackson Health System (JHS) in Miami for numerous violations of the Health Insurance Portability and Accountability Act (HIPAA).

Jackson operates six hospitals, a network of urgent care centers, multiple primary care and specialty care centers, long-term care facilities and corrections health services clinics.

The violation dates back to August 2013, when JHS submitted a breach report stating that paper records containing protected health information (PHI) on 756 patients had been lost in January of that year. Upon further investigation, JHS determined another 680 patient records had been lost. However, the health system did not report the additional loss until June 2016.

Then in July 2015, OCR launched an investigation after a reporter shared a photo of a hospital operating room containing a patient’s medical information on social media. The patient was identified in media reports as an NFL player injured in a Fourth of July accident.  JHS determined that two employees had accessed this patient’s electronic medical record without a job-related purpose.

On Feb. 19, 2016, JHS submitted another breach report indicating that an employee had inappropriately accessed more than 24,000 patient records since 2011 and been selling patient PHI.

OCR’s investigation found that JHS failed to provide a timely and accurate breach notification to authorities, as well as failed to take proper measures to identify and manage risks.

OCR said in its report that the health systems HIPAA compliance program had been “in disarray for a number of years.”

JHS waived its right to a hearing and did not contest the findings.

New York Health System Settles for $3M

Then, on Nov 5, OCR reported that the University of Rochester Medical Center (URMC), agreed to pay $3 million to settle potential HIPAA violations.

URMC includes the School of Medicine and Dentistry and Strong Medical Hospital and is one of the largest health systems in New York State.

URMC filed breach reports in 2013 and 2017 following the discovery that PHI had been disclosed following the loss of an unencrypted flash drive and the theft of an unencrypted laptop. OCR determined that the healthcare system failed to have sufficient security measures in place to reduce risk, including the lack of encryption mechanisms to protect patient data.

This apparently wasn’t the first time URMC was found to have failed to protect patient data. OCR noted that in 2010, a similar concern was raised follow the loss of an unencrypted flash drive. Despite this, URMC had failed to take corrective action.

In addition to the monetary settlement, URMC will undertake a corrective action plan that includes a thorough risk analysis of potential risks and vulnerabilities of patient PHI which must be approved by HHS. URMC also must create and implement policies and procedures and train its workforce in compliance.

Texas Health System Settles for $1.6M

Two days after the URMC settlement was announced, OCR announced a $1.6 million penalty had been levied against the Texas Health and Human Services Commission (TX HHSC) for violations that occurred between 2013 and 2017.

TX HHSC is part of a healthcare system that operates state supported living centers; provides mental health and substance use services; regulates child care and nursing facilities; and administers hundreds of programs for people who need assistance, including supplemental nutrition benefits and Medicaid.

In June 2015, the organizations predecessor, the Department of Aging and Disability Services (DADS), filed a breach report stating that the ePHI of 6,617 patients was viewable over the internet. This included names, addresses, social security numbers and treatment information. The breach occurred when an internal application was moved from a private, secure server to a public server and a flaw in the software code allowed access to ePHI without credentials.

OCR determine that DADS had failed to conduct a risk analysis or implement controls on its information systems. HHSC agreed to waive its right to a hearing and agreed to pay the fine.

And, as we previously wrote about, it’s not just fines that healthcare systems must be concerned about. Penalties can also include jail time.

Every day healthcare systems, along with untold numbers of other businesses, become the target of hackers. It is incumbent upon all organizations to protect their data, as well as the personal data entrusted to them.

The Health Law Offices of Anthony C. Vitale’s highly skilled team of experienced legal professionals can help you to create a HIPAA Privacy and Security compliance program designed to meet your unique needs. Give us a call at 305-358-4500 or send an email to and let’s discuss how we might be able to assist you.

Posted in

The Health Law Offices of Anthony C. Vitale