Jackson Health System has paid a $2.1 million fine imposed by the Department of Health and Human Services’ Office for Civil Rights (“OCR”) for three separate HIPAA violations, the investigation into which revealed “a HIPAA compliance program that had been in disarray for a number of years,” according to OCR Director Roger Severino. Jackson did not contest the findings.

The first violation at issue stemmed from a loss of nearly 1,500 patients’ paper records containing protected health information (“PHI”) in January 2013. The second violation in July 2015 made headlines: New York Giants football player Jason Pierre-Paul’s medical records were disclosed to an ESPN reporter and subsequently published after Pierre-Paul’s middle finger was amputated at Jackson. OCR found that Pierre-Paul’s PHI, including a photograph from his operating room, were improperly accessed and disclosed. The third violation occurred when in February 2016, Jackson reported that an employee had improperly accessed over 24,000 patients’ records and had been selling that information since July 2011.

In imposing the fine, OCR took further issue with Jackson’s internal investigations of the breaches. OCR determined that the risk analyses performed by third parties erroneously found that certain of HIPAA’s Security Rules did not apply to Jackson. Further, OCR found that Jackson’s risk analyses did not identify “the totality of threats and vulnerabilities” in its systems, and Jackson did not remediate them.

Jackson’s fine is not OCR’s highest this year but comes close. In February, Cottage Health was payed a $3 million fine for two breaches involving over 62,500 patients, and in May, Touchstone Medical Imaging paid a $3 million fine for a data breach in which more than 300,000 patients’ PHI was exposed.


Tache, Bronis, Christianson and Descalzo, P. A.
150 S.E. 2nd Avenue, Suite 600, Miami, FL  33131