On October 23, 2019, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced a settlement under which Jackson Health System (JHS) agreed to pay $2.15 million for three Health Insurance Portability and Accountability Act (HIPAA) violations between 2013 and 2016.
An OCR investigation revealed JHS failed to comply with HIPAA breach notification and security rules after losing the protected health information (PHI) of over 1,400 patients, allowing unrestricted access to the electronic medical record (EMR) of an NFL player, and preventing an employee from selling the electronic PHI (ePHI) of over 24,000 patients.