5 breaches cost $3.5 million for national provider in HHS settlement

The first enforcement settlement of the year follows an OCR investigation of Fresenius Medical Care North America that began in 2013, after a string of breaches in its clinics across the U.S. the prior year.
By Jessica Davis
02:53 PM
HHS breach

Fresenius Medical Care North America settled with the U.S. Department of Health and Human Services Office of Civil Rights for $3.5 million to settle allegations of five separate HIPAA violations at various FMCNA-covered entities.

The fine marks the first OCR settlement of the year.

FMCNA, which operates over 2,200 dialysis clinics, outpatient cardiac and vascular labs, and urgent care centers, filed five separate breach reports in 2013. Those incidents took place between February 2012 and July 2012.

The OCR investigation found that several FMCNA-covered entities failed to conduct thorough and accurate risk analyses of potential vulnerabilities to the confidentiality and availability of electronic patient data.

[Also: OCR deputy: Have policies in place to avoid a HIPAA compliance review]

As a result, those breached entities allowed impermissible disclosure of ePHI through unauthorized access for purposes not permitted by HIPAA.

Specifically, one branch lacked policies and procedures to address security incidents, while another failed to establish policies for governing the receipt and removal of hardware and electronic files of ePHI into and out of the facility.

Another two branches lacked policies for safeguarding the facility and equipment from unauthorized access, tampering and theft. And two others didn’t have a method in place to properly encrypt or decrypt ePHI.

“The number of breaches, involving a variety of locations and vulnerabilities, highlights why there is no substitute for an enterprise-wide risk analysis for a covered entity,” said OCR Director Roger Severino. “Covered entities must take a thorough look at their internal policies and procedures to ensure they are protecting their patients’ health information in accordance with the law.”

In addition to the fine, FMCNA will need to complete a risk analysis and risk management plan at all of its covered entities. Further, it must revise policies and procedures for device and media and access controls, develop an encryption report, and educate staff.


Twitter: @JessieFDavis
Email the writer: jessica.davis@himssmedia.com