A Florida health system completely ignores HIPAA rules for years, leading to NFL Player’s Privacy Breach.
Here’s a thought experiment: imagine if you ran a large hospital system and completely ignored your responsibility to protect patient health information.
Privacy Breach For Sale
What if your employees were so confident in their ability to peruse patient medical data that they actually SOLD information to the highest bidder?
What if your risk analysis completely understated your exposure, putting your patients’ private health details into public hands on numerous occasions?
You don’t need to imagine such a scenario because it happened at Florida’s Jackson Health System.
The Miami provider of primary care, nursing, corrections health services and operator of six hospitals was fined more than $2.15 million for its numerous and blatant Health Insurance Portability and Accountability Act (HIPAA) violations between 2013 and 2016.
Privacy Breach: records in disarray for years
Roger Severino, director of the Office for Civil Rights (OCR), the federal agency responsible for investigating HIPAA violations, described Jackson Health’s records as “in disarray for a number of years.”
Professional Football Player Targeted in HIPAA Privacy Breach
The trouble started when the OCR launched an investigation of Jackson following reports of a professional football player’s medical records being shared on social media.
Federal investigators determined that two Jackson employees had repeatedly accessed Electronic Patient Health Information (ePHI) for non-authorized purposes.
Paper records lost in giant privacy breach
On two occasions, paper medical records were lost, putting more than 1,000 patients at risk of unauthorized data disclosure.
One employee, who had been illegally accessing 24,000 patient records over more than five years, had been selling private details.
Jackson did not contest any of the OCR’s privacy breach claims, choosing to pay the entire fine of $2.154 million penalty.
A complete list of Jackson’s privacy breach violations can be viewed here.
If your employees were illegally accessing ePHI, would you know? If not, how would you find out? If your answers are less-than-confident, we can help.