A Super-Bowl Sized HIPAA Settlement Results in $3.5 Million Payment
On February 1, 2018, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced that Fresenius Medical Care North America (FMCNA) agreed to pay $3.5 million and enter into a Corrective Action Plan (CAP) to settle alleged violations of the HIPAA Privacy and Security Rules. The OCR settlement noted that five (5) covered entities under FMCNA’s common ownership and control failed to conduct accurate and thorough risk analyses as required by the HIPAA Security Rule.
Fresenius is a national provider of products and services for people with chronic kidney failure. FMCNA’s operations include dialysis facilities, outpatient cardiac and vascular labs, urgent care centers and hospital and post-acute providers. In January of 2013, FMCNA filed five (5) separate breach reports with the OCR for separate incidents occurring in covered entities owned by FMCNA (the FMCNA Covered Entities). None of the breaches individually affected 500 or more individuals, and one of the breaches “only” affected ten (10) individuals. Cumulatively, however, these five incidents resulted in a super large fine being paid by FMCNA. The five breach incidents were:
- Two desktop computers were stolen during a break-in from a Florida FMCNA location and it included the electronic protected health information (ePHI) of 200 individuals.
- An unencrypted USB drive was stolen from a work force member’s care while parked at an Alabama FMCNA location and it included the e-PHI of 245 individuals.
- A hard drive went missing from a desk top computer at an FMCNA location and it included the ePHI of 35 individuals. The workforce member whose hard drive was missing notified the area manager but the area manager did not report the incident to the FMCNA corporate risk management department.
- A Fresenius workforce member in Georgia had her unencrypted laptop stolen from her car at her home and it included the ePHI of 10 individuals.
- Three desktop computers and one encrypted laptop were stolen from a Fresenius location. One of the desktop computers included the ePHI of 31 individuals.
The OCR’s subsequent investigation of the five (5) breaches revealed that the FMCNA Covered Entities failed to conduct accurate and thorough risk analyses of the potential risks and vulnerabilities to the confidentiality, integrity and availability of their PHI as required by the HIPAA Security Rule. The OCR determined that the FMCNA Covered Entities failed to implement: policies and procedures to safeguard their facilities and equipment; policies and procedures to govern the receipt and removal of hardware and electronic media containing ePHI into and out of a facility; a mechanism to encrypt and decrypt ePHI; policies and procedures to address security incidents; and/or policies and procedures that specify proper functions to be performed and the physical attributes of the surroundings of a workstation or class of workstations that access PHI.
In addition to the $3.5 million payment, FMCNA entered into a two (2) year CAP. The CAP requires the FMCNA Covered Entities to conduct a risk analysis of the potential security risks and vulnerabilities to the confidentiality, integrity and availability of their EPHI; implement a written risk management plan to address and mitigate the identified security risks; develop a process to regularly evaluate environmental or operational changes that affect the security of ePHI; develop a written report on the status of implementation of encryption; review and revise, as necessary, policies and procedures related to devices that are used to access, store, download or transmit ePHI; review and revise, as necessary, policies and procedures to limit physical access to electronic information systems and facilities; and, develop an enhanced health information privacy and security awareness training program. FMCNA is required to submit annual reports to the OCR confirming its compliance with the CAP.
FMCNA did not admit any liability as part of the settlement. The FMCNA Resolution Agreement and CAP are available here.
OCR’s recent enforcement efforts focus on Security Rule compliance. A most valuable lesson for all covered entities and business associates is to be Eagle-eyed with respect to HIPAA compliance. The FMCNA settlement is a reminder to covered entities and business associates of the importance of acting like a Patriot and conducting a thorough risk analysis and developing risk management plans to address the risks identified in the security analysis. The FMCNA settlement also highlights that although none of the FMCNA reported breaches was a “large” breach (which under HIPAA is a breach affecting 500 or more individuals), the OCR will take action with respect to patterns of non-compliance in “smaller” breaches.
Saul Ewing Arnstein & Lehr attorneys counsel and assist covered entities and business associates with respect to HIPAA Privacy Rule, Security Rule and Breach Notification Rule compliance. For more information relating to Saul Ewing Arnstein & Lehr’s HIPAA compliance practice, please contact the authors or the Saul Ewing Arnstein & Lehr attorney with whom you are regularly in contact.