Fresenius Medical Care North America (FMCNA), a provider of products and services for people with chronic kidney failure, has agreed to pay $3.5 million to the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) and adopt a comprehensive corrective action plan to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules.

OCR’s investigation into five separate FMCNA-owned covered entities revealed what it determined to be a failure to conduct accurate and thorough risk analyses of potential risks and vulnerabilities to the confidentiality, integrity and availability of electronic protected health information (ePHI). The investigation found the FMCNA covered entities impermissibly disclosed the ePHI of some of their patients by providing unauthorized access for a purpose not permitted by the Privacy Rule.

The covered entities were also found to have failed to:

  • implement policies and procedures to address security incidents
  • implement policies and procedures to govern the receipt and removal of hardware and electronic media that contain ePHI within and outside of the facility
  • administer policies and procedures to safeguard their facilities and equipment from unauthorized access, tampering, and theft
  • execute a mechanism to encrypt and decrypt ePHI

“The number of breaches, involving a variety of locations and vulnerabilities, highlights why there is no substitute for an enterprise-wide risk analysis for a covered entity,” said OCR Director Roger Severino. “Covered entities must take a thorough look at their internal policies and procedures to ensure they are protecting their patients’ health information in accordance with the law.”

As a result of these violations, FMCNA will pay $3.5 million and must complete a risk analysis and risk management plan, revise policies and procedures on device and media controls as well as facility access controls, develop an encryption report, and educate its workforce on policies and procedures as a part of their corrective action plan.

The entire press release can be found here https://www.hhs.gov/about/news/2018/02/01/five-breaches-add-millions-settlement-costs-entity-failed-heed-hipaa-s-risk-analysis-and-risk.html

The resolution agreement and corrective action plan may be found on the OCR website at http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/FMCNA/index.html