HIPAA Breaches Result in $2.15 Million Penalty Against Jackson Health System

The Office for Civil Rights (OCR) penalized Jackson Health System (JHS) $2.15 million for multiple violations under the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

JHS operates six major hospitals and various care centers around Florida, which provide health services to approximately 650,000 patients annually. The OCR investigation found JHS had violated HIPAA Security, Privacy, and Breach Notification Rules from 2013 to 2016. These violations included, but not limited to:

HIPAA Security Rule

  • In February 2016, JHS submitted a Breach Notification Report to OCR reporting an employee had inappropriately accessed the PHI of almost 25,000 patients and had been selling that information since July 2011.
  • The OCR’s investigation found JHS had violated the HIPAA Security Rules because it failed to implement policies and procedures to prevent, detect, and correct security violations of employee’s impermissible access to patients’ PHI for over five years, as well as failed to remediate risks, threats, and vulnerabilities identified from prior risk analyses.

HIPAA Privacy Rule

  • In July 2015, the OCR opened a compliance review relating to a media report that disclosed a JHS patient’s PHI, a well-known NFL player. The investigation revealed that the employees caring for the NFL player had improper access to his PHI.
  • OCR found that JHS failed to implement policies and procedures for granting access to PHI consistent with applicable requirements of the HIPAA Privacy Rule, including restricting access to the minimum necessary as required by the Rule.

HIPAA Breach Notification Rule

  • JHS submitted a Report to OCR in August 2013 of a loss of paper records of 1,471 patients back in January 2013.
  • OCR found that JHS failed to timely and accurate notification to the Secretary of HHS of the breach to provide timely breach notification to the Secretary of Health & Human Services (HHS), which violated HIPAA Breach Notification Rules.

Covered Entities that fail to comply with the countless requirements under HIPAA may experience costly outcomes. ComplianceDashboard’s HIPAA Pro can help you understand and implement the strict obligations imposed under the Security, Privacy, and Breach Notification Rules.


The information and content contained in this blog post are for general informational purposes only, and does not, and is not intended to, constitute legal advice.

Leave a Reply

Your email address will not be published. Required fields are marked *