HIPAA compliance is a serious matter. The Health Insurance Portability and Accountability Act was designed to keep protected health information secure from cybercriminals or unauthorized individuals.
As we have seen in the past, the United States government spares no expense when it comes to cracking down on healthcare organizations, Business Associates or Covered Entities who ignore HIPAA or commit HIPAA violations.
As we just reach the second month in 2018, we’ve already seen one organization who faced the expensive wrath of the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) – Fresenius Medical Care North America (FMCNA).
Fresenius Medical Care North America (FMCNA) pays millions for HIPAA violations
On February 1st, 2018, the Fresenius Medical Care North America (FMCNA) agreed to pay $3.5 million and adopt a comprehensive corrective action plan to settle potential violations against the HIPAA Privacy and Security Rules.
FMNCA is a healthcare organization that provides products and services to individuals who suffer with renal disease or other chronic conditions such as chronic kidney failure. The organization has over 60,000 employees that serve over 170,000 patients.
FMCNA’s network includes dialysis facilities, outpatient cardiac and vascular labs, urgent care centers, and hospitalist and post-acute providers.
FMNCA files five separate breach reports
On January 21, 2013, the FMCNA filed five breach reports for individual incidents that happened between February 23, 2012 and July 18, 2012. These breach reports implicated the ePHI of five separate Covered Entities owned by the FMNCA.
The five breach locations were:
- Bio-Medical Applications of Florida, Inc. d/b/a Fresenius Medical Care Duval Facility (FMC Duval)
- Bio-Medical Applications of Alabama, Inc. d/b/a Fresenius Medical Care Magnolia Grove (FMC Magnolia Grove)
- Renal Dimensions, LLC d/b/a Fresenius Medical Care Ak-Chin (FMC Ak-Chin)
- Fresenius Vascular Care Augusta, LLC (FVC Augusta)
- WSKC Dialysis Services, Inc. d/b/a Fresenius Medical Care Blue Island Dialysis (FMC Blue Island)
The OCR’s investigation concluded that FMCNA’s Covered Entities failed to conduct a thorough risk analysis for the security of all of its ePHI.
Furthermore, FMCNA Covered Entities provided unauthorized access to ePHI, thus violating the HIPAA Privacy Rule.
The Arizona branch of FMCNA, FMC Ak-Chin, failed to create policies and procedures that addressed security incidents.
FMC Magnolia Grove, located in Alabama, also failed to implement policies and procedures concerning the “receipt and removal of hardware and electronic media that contain ePHI into and out of a facility”, as well as the movement of these items within the facility.
The FMC Duval (Florida) and FMC Blue Island (Illinois) branches also failed to instill policies to protect their facilities and equipment from unauthorized access, including tampering or theft.
Moreover, FMC Magnolia Grove and FVC Augusta had no mechanism to encrypt and decrypt their ePHI.
FMNCA faces the expensive HIPAA consequences
All of these poor security measures resulted in a $3.5 million settlement fine.
In addition to this hefty cost, the OCR’s corrective action plan requires that the FMNCA Covered Entities must successfully complete a risk analysis and risk management plan. This includes revising policies and procedures on device and media controls as well as facility access controls.
The FMNCA must also develop an encryption report and educate their employees on these new policies and procedures.
Creating these new policies and procedures will cost the FMNCA more time and money towards rectifying their HIPAA violations.
There is a key takeaway to learn from FMNCA’s costly mistake. Rather than spending millions of dollars to resolve a violation, have your company utilize proper HIPAA compliant solutions at a fraction of the cost. Your organization’s wallet will thank you.