Five
breaches add up to millions in settlement costs for entity
that failed to heed HIPAA’s risk analysis and risk
management rules
Fresenius
Medical Care North America (FMCNA) has agreed to pay $3.5
million to the U.S. Department of Health and Human Services
(HHS) Office for Civil Rights (OCR), and to adopt a
comprehensive corrective action plan, in order to settle
potential violations of the Health Insurance Portability
and Accountability Act (HIPAA) Privacy and Security Rules.
FMCNA is a provider of products and services for people
with chronic kidney failure with over 60,000 employees that
serves over 170,000 patients. FMCNA’s network is comprised of
dialysis facilities, outpatient cardiac and vascular labs,
and urgent care centers, as well as hospitalist and
post-acute providers.
On
January 21, 2013, FMCNA filed five separate breach reports
for separate incidents occurring between February 23, 2012
and July 18, 2012 implicating the electronic protected
health information (ePHI) of five separate FMCNA owned
covered entities (FMCNA covered entities).
The
five locations of the breaches were Bio-Medical
Applications of Florida, Inc. d/b/a Fresenius Medical Care
Duval Facility in Jacksonville, Florida (FMC Duval
Facility); Bio-Medical Applications of Alabama, Inc. d/b/a
Fresenius Medical Care Magnolia Grove in Semmes, Alabama
(FMC Magnolia Grove Facility); Renal Dimensions, LLC d/b/a
Fresenius Medical Care Ak-Chin in Maricopa, Arizona (FMC
Ak-Chin Facility); Fresenius Vascular Care Augusta, LLC
(FVC Augusta); and WSKC Dialysis Services, Inc. d/b/a
Fresenius Medical Care Blue Island Dialysis (FMC Blue
Island Facility).
OCR’s
investigation revealed FMCNA covered entities failed to
conduct an accurate and thorough risk analysis of potential
risks and vulnerabilities to the confidentiality,
integrity, and availability of all of its ePHI.
The
FMCNA covered entities impermissibly disclosed the ePHI of
patients by providing unauthorized access for a purpose not
permitted by the Privacy Rule.
FMC
Ak-Chin failed to implement policies and procedures to
address security incidents.
FMC
Magnolia Grove failed to implement policies and procedures
that govern the receipt and removal of hardware and
electronic media that contain ePHI into and out of a
facility; and the movement of these items within the
facility.
FMC
Duval and FMC Blue Island failed to implement policies and
procedures to safeguard their facilities and equipment
therein from unauthorized access, tampering, and theft,
when it was reasonable and appropriate to do so under the
circumstances.
FMC
Magnolia Grove and FVC Augusta failed to implement a
mechanism to encrypt and decrypt ePHI, when it was
reasonable and appropriate to do so under the
circumstances.
“The
number of breaches, involving a variety of locations and
vulnerabilities, highlights why there is no substitute for
an enterprise-wide risk analysis for a covered entity,”
said OCR Director Roger Severino. “Covered entities must
take a thorough look at their internal policies and
procedures to ensure they are protecting their patients’
health information in accordance with the law.”
In
addition to a $3.5 million monetary settlement, a
corrective action plan requires the FMCNA covered entities
to complete a risk analysis and risk management plan,
revise policies and procedures on device and media controls
as well as facility access controls, develop an encryption
report, and educate its workforce on policies and
procedures.
The
resolution agreement and corrective action plan may be
found on the OCR website at http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/FMCNA/index.html.
To
learn more about health information privacy laws and health
information privacy rights, please visit www.hhs.gov/hipaa.
To
file a complaint with OCR based on a violation of civil
rights, conscience or religious freedom, or health
information privacy, visit us at www.hhs.gov/ocr/complaints.
Follow
OCR on Twitter at http://twitter.com/HHSOCR exit
disclaimer icon.
###
|
No comments:
Post a Comment