On June 6, 2025, Jackson Health System of Miami, Florida, announced that it had fallen victim to an insider data breach affecting more than 2,000 patients. According to its press release, an employee of the organization accessed and obtained patient information, including names, birth dates, addresses, medical record numbers, and clinical details, which was then used to promote a personal healthcare business. The employee was terminated following confirmation of the HIPAA violation. However, Jackson Health System’s internal investigation revealed that the unauthorized access went undetected from nearly five years, from July 2020 through May 2025.

While it is not possible to eliminate all risks to protected health information (PHI), health centers can take meaningful steps to minimize the risk of unauthorized access and detect issues early. Key actions include:

1. Assign Unique User Identifications. HIPAA requires covered entities to assign unique names or numbers for tracking user identities within the entity’s electronic systems. While the format is flexible, these identifiers are essential for tracking access to PHI and creating audit trails that help detect unauthorized activity.
2. Conduct Routine Audits of User Access. Entities should routinely review access logs and other system activity related to electronic PHI (ePHI). Although HIPAA does not mandate how often these audits must occur, conducting them at least annually, or more frequently depending on the size and complexity of the organization, is a best practice for early detection of improper access.
3. Implement Role-Based Access Controls. Not all workforce members need access to patient health records. Implementing policies that limit access based on job responsibilities can significantly reduce the likelihood of insider breaches.
4. Provide Comprehensive Employee Privacy Training. HIPAA requires workforce members to receive training related to the policies and procedures that relate to PHI. As a best practice, this training should be provided before an employee handles PHI, repeated annually, and refreshed as needed. This training should include reminders of the expectations of the health center regarding accessing patient records and the proper handling of PHI. While this training may not deter bad actors, it will assist employees who might inadvertently violate health center policy.

By putting these practices innplace and fostering a culture of accountability and transparency, health centers can strengthen their privacy programs, limit potential breaches, and respond effectively to potential violations quickly.

If you have questions about how to implement best practices for your privacy program, please contact Natalie Lesnick at nlesnick@feldesman.com or any member of the Feldesman’s Healthcare team.