Compliance & Legal

5 breaches cost $3.5 million for national provider in HHS settlement

The first enforcement settlement of the year follows an OCR investigation of Fresenius Medical Care North America that began in 2013, after a string of breaches in its clinics across the U.S. the prior year.
By Jessica Davis
February 01, 2018
02:53 PM

Fresenius Medical Care North America settled with the U.S. Department of Health and Human Services Office of Civil Rights for $3.5 million to settle allegations of five separate HIPAA violations at various FMCNA-covered entities.

The fine marks the first OCR settlement of the year.

FMCNA, which operates over 2,200 dialysis clinics, outpatient cardiac and vascular labs, and urgent care centers, filed five separate breach reports in 2013. Those incidents took place between February 2012 and July 2012.

The OCR investigation found that several FMCNA-covered entities failed to conduct thorough and accurate risk analyses of potential vulnerabilities to the confidentiality and availability of electronic patient data.

[Also: OCR deputy: Have policies in place to avoid a HIPAA compliance review]

As a result, those breached entities allowed impermissible disclosure of ePHI through unauthorized access for purposes not permitted by HIPAA.

Specifically, one branch lacked policies and procedures to address security incidents, while another failed to establish policies for governing the receipt and removal of hardware and electronic files of ePHI into and out of the facility.

Another two branches lacked policies for safeguarding the facility and equipment from unauthorized access, tampering and theft. And two others didn’t have a method in place to properly encrypt or decrypt ePHI.

“The number of breaches, involving a variety of locations and vulnerabilities, highlights why there is no substitute for an enterprise-wide risk analysis for a covered entity,” said OCR Director Roger Severino. “Covered entities must take a thorough look at their internal policies and procedures to ensure they are protecting their patients’ health information in accordance with the law.”

In addition to the fine, FMCNA will need to complete a risk analysis and risk management plan at all of its covered entities. Further, it must revise policies and procedures for device and media and access controls, develop an encryption report, and educate staff.

 

Twitter: @JessieFDavis
Email the writer: jessica.davis@himssmedia.com

Topics: 
Compliance & Legal, Privacy & Security

More regional news

A pharmacist reviewing a digital record

Blooms The Chemist integrates Healthengine and more briefs

By
Adam Ang
November 17, 2024
HIMSSCast logo

HIMSSCast: Caregiver input needed for allocation of investment dollars

By
Bill Siwicki
November 15, 2024
HHS Building

Trump picks RFK Jr. to lead HHS

By
Susan Morse
November 15, 2024
Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.

Top Story

Former Georgia Rep. Doug Collins
Trump taps former Rep. Doug Collins to head VA

Most Read

Vendor Notebook: New cybersecurity and EHR performance upgrades 
Texas AG settles with clinical genAI company
What Loper Bright and the end of Chevron deference mean for HHS
Particle Health files antitrust suit against Epic
Choosing a managed IT service for aged care
ASTP intros 2024 draft Federal FHIR Action Plan

Research

White Papers

More Whitepapers

Patient Engagement
Patient Engagement
Financial/Revenue Cycle Management

Webinars

More Webinars

Imaging
Interoperability
Artificial Intelligence

Video

Lee Kim at HIMSS_Global Health Equity Week 2024
AI can be leveraged to improve cybersecurity and health equity
Dr. Keisuke Nakagawa at UC Davis Health_Global Health Equity Week 2024
How artificial intelligence is changing the equation for SDOH integration
Andrea Hsu at National Science and Technology Council_HIMSS24 APAC
Fostering health IT innovation through academic-industrial collaborations
Valerie Rogers at HIMSS_Global Health Equity Week 2024
Technology and policy have a role to play in improving maternal health

More Stories

Mike Relli at Knight Consulting_Global Health Equity Week 2024
New approaches to improving healthcare access for justice-impacted individuals
HIT professional reviews information on a laptop outside a server room
ASPR seeks feedback on public health orgs' cybersecurity needs
Gabriel Jones of Proprio on AI
Artificial intelligence is enabling big advances in surgery
Pharmacist sorting pills
Deploy RFID technologies to streamline controlled substance management
Healthcare workers in a meeting
Prioritizing cost management at U.S. healthcare systems: Keys to better margins
Healthcare worker looking at medical record on tablet with patient in background
Protect your IoMT devices against evolving cyberattacks
Jill Brewer at HIMSS_Healthcare Cybersecurity Forum 2024
What's the weakest link in organizational cybersecurity? Not what you might think
Richard Staynings at the University of Denver_Healthcare Cybersecurity Forum 2024
The challenges of safeguarding healthcare's 'data ocean'