A major renal care provider agreed to $3.5 million to resolve Health Insurance Portability and Accountability Act (HIPAA) privacy and security allegations arising from a series of data breaches at five different facilities over a 5-month span in 2012.
In January 2013 Fresenius Medical Care North America (FMCNA) notified the U.S. Department of Health and Human Services of these incidents, which involved the electronic protected health information (e-PHI) of these five FMCNA-owned covered entities.
On investigating, HHS’ Office for Civil Rights (OCR) determined that the covered entities had failed to conduct an accurate and thorough risk assessment covering all of their e-PHI, as required by HIPAA’s security rule. The agency also alleged these locations had impermissibly disclosed this e-PHI by providing access unauthorized by HIPAA’s privacy rule.
FMCNA is a provider of products and services for people with chronic kidney failure with over 60,000 employees that serves over 170,000 patients. FMCNA’s network is comprised of dialysis facilities, outpatient cardiac and vascular labs, and urgent care centers, as well as hospitalist and post-acute providers.
“The number of breaches, involving a variety of locations and vulnerabilities, highlights why there is no substitute for an enterprise-wide risk analysis for a covered entity,” said OCR Director Roger Severino in a February 1 statement announcing the settlement. “Covered entities must take a thorough look at their internal policies and procedures to ensure they are protecting their patients’ health information in accordance with the law.”
In addition to a $3.5 million monetary settlement, a corrective action plan requires the FMCNA covered entities to complete a risk analysis and risk management plan, revise policies and procedures on device and media controls as well as facility access controls, develop an encryption report, and educate their workforce on policies and procedures.