“In disarray” is not the phrase compliance officials ever want to hear used about their organization, and certainly not when expressed by the head of an oversight agency. But that’s exactly the description that Roger Severino, director of the HHS Office for Civil Rights (OCR), applied to Jackson Health System (JHS) of Miami, Florida.
“OCR's investigation revealed a HIPAA compliance program that had been in disarray for a number of years,” Severino said last month in announcing a $2.154 million financial penalty imposed on JHS. “This hospital system's compliance program failed to detect and stop an employee who stole and sold thousands of patient records; lost patient files without notifying OCR as required by law; and failed to properly secure PHI [protected health information] that was leaked to the media.”
The fine marks the fifth enforcement action OCR has concluded this year related to HIPAA violations. OCR issued a proposed determination and a final notice associated with the multi-million fine against JHS; the other four cases this year were resolved via the more common process of a settlement agreement between OCR and a covered entity (CE) or business associate (BA), accompanied by a corrective action plan.
Judy Ringholz, JHS’ chief compliance officer for the past three-and-a-half years, told HCCA sister publication Report on Medicare Compliance (RMC) that JHS has been “waiting for the resolution” to OCR’s investigation. She said JHS has addressed and corrected the areas of non-compliance for which it was cited. A story in a subsequent issue of RPP will include more details about JHS’ compliance activities.