OCR Issues $2.15 Million Fine to Jackson Health System

By Art Gross, President and CEO, HIPAA Secure Now!
Twitter: @HIPAASecureNow
Read other articles by this author

HIPAA compliance doesn’t care if you’re a small business or a non-profit. This isn’t said in a disrespectful manner to the laws that govern the policies, but to make you aware that your business status, or identifying structure won’t allow you to be overlooked.

Hefty Fine Imposed
Recently the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services imposed a $2,154,000 penalty against Jackson Health System (JHS) for HIPAA violations.


This nonprofit academic medical system operates 6 major hospitals, a network of urgent, primary, and specialty care centers, long-term nursing facilities, and corrections health services clinics. Those facilities provide care for 650,000 patients on an annual basis and employ over 12,000 people.

The Breaches
JHS submitted the breach report in August of 2013. In it, they stated that in January of that same year, they had lost paper records which contained the private health information (PHI) of over 700 patients. An additional loss of patient records from December 2012 was not reported until June of 2016. Additionally, an investigation was launched in July of 2015 when two employees accessed a patient’s electronic medical record inappropriately, and that patient’s photo was shared by a reporter. The image contained the patient’s medical information on an operating screen and was shared on social media.

A Compliance Program in Disarray
Add to all of this, that in February of 2016 JHS reported that one employee had been selling PHI. JHS reported that this employee had accessed over 24,000 patient records since 2011.

12,000 employees mean a lot of monitoring for any company, so a strong HIPAA compliance program isn’t just a necessity, it’s a critical part of this business keeping its doors open. The OCR investigation found that their HIPAA compliance program had been “in disarray for a number of years” and that the “hospital’s system compliance failed to detect and stop an employee who stole and sold thousands of patient records; lost patient files without notifying OCR as required by law; and failed to properly secure PHI that was leaked to the media.”

A strong HIPAA compliance program needs to be a part of your business from start to finish. Are you prepared to be accountable for the actions of your employees?

This article was originally published on HIPAA Secure Now! and is republished here with permission. HIPAA Secure Now offers annual online subscriptions to help covered entities and business associates keep up with compliance. Learn more here.

HIPAA Secure Now! suite of subscriptions offers an extensive list of tools to provide ongoing training, assessment, moderation activities and more to support an organization’s privacy and security efforts. Subscriptions also support the process of conducting an annual Security Risk Assessment to meet MIPS and Promoting Interoperability requirements.

The subscriptions work for organizations of all sizes, both Covered Entities and Business Associates. All are priced at a flat annual fee, based on number of employees, for a full 12 months. All include a discount if purchased through us.


If your organization has more than 50 employees, or if you’d like to schedule a demo or you just want to get a couple questions answered, take a few seconds to complete this form and we will get back to you.