This company ignored HIPAA rules and paid a big price

Featured image

Share this article

This Company Ignored HIPAA Rules And Paid A Big Price - Fresenius Medical

HIPAA compliance is a serious matter. The Health Insurance Portability and Accountability Act was designed to keep protected health information secure from cybercriminals or unauthorized individuals.

As we have seen in the past, the United States government spares no expense when it comes to cracking down on healthcare organizations, Business Associates or Covered Entities who ignore HIPAA or commit HIPAA violations.

As we just reach the second month in 2018, we’ve already seen one organization who faced the expensive wrath of the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) – Fresenius Medical Care North America (FMCNA).

Fresenius Medical Care North America (FMCNA) pays millions for HIPAA violations

On February 1st, 2018, the Fresenius Medical Care North America (FMCNA) agreed to pay $3.5 million and adopt a comprehensive corrective action plan to settle potential violations against the HIPAA Privacy and Security Rules.

FMNCA is a healthcare organization that provides products and services to individuals who suffer with renal disease or other chronic conditions such as chronic kidney failure. The organization has over 60,000 employees that serve over 170,000 patients.

FMCNA’s network includes dialysis facilities, outpatient cardiac and vascular labs, urgent care centers, and hospitalist and post-acute providers.

FMNCA files five separate breach reports

On January 21, 2013, the FMCNA filed five breach reports for individual incidents that happened between February 23, 2012 and July 18, 2012. These breach reports implicated the ePHI of five separate Covered Entities owned by the FMNCA.

The five breach locations were:

  • Bio-Medical Applications of Florida, Inc. d/b/a Fresenius Medical Care Duval Facility (FMC Duval)
  • Bio-Medical Applications of Alabama, Inc. d/b/a Fresenius Medical Care Magnolia Grove (FMC Magnolia Grove)
  • Renal Dimensions, LLC d/b/a Fresenius Medical Care Ak-Chin (FMC Ak-Chin)
  • Fresenius Vascular Care Augusta, LLC (FVC Augusta)
  • WSKC Dialysis Services, Inc. d/b/a Fresenius Medical Care Blue Island Dialysis (FMC Blue Island)

The OCR’s investigation concluded that FMCNA’s Covered Entities failed to conduct a thorough risk analysis for the security of all of its ePHI.

Furthermore, FMCNA Covered Entities provided unauthorized access to ePHI, thus violating the HIPAA Privacy Rule.

The Arizona branch of FMCNA, FMC Ak-Chin, failed to create policies and procedures that addressed security incidents.

FMC Magnolia Grove, located in Alabama, also failed to implement policies and procedures concerning the “receipt and removal of hardware and electronic media that contain ePHI into and out of a facility”, as well as the movement of these items within the facility.

The FMC Duval (Florida) and FMC Blue Island (Illinois) branches also failed to instill policies to protect their facilities and equipment from unauthorized access, including tampering or theft.

Moreover, FMC Magnolia Grove and FVC Augusta had no mechanism to encrypt and decrypt their ePHI.

FMNCA faces the expensive HIPAA consequences

All of these poor security measures resulted in a $3.5 million settlement fine.

In addition to this hefty cost, the OCR’s corrective action plan requires that the FMNCA Covered Entities must successfully complete a risk analysis and risk management plan. This includes revising policies and procedures on device and media controls as well as facility access controls.

The FMNCA must also develop an encryption report and educate their employees on these new policies and procedures.

Creating these new policies and procedures will cost the FMNCA more time and money towards rectifying their HIPAA violations.

There is a key takeaway to learn from FMNCA’s costly mistake. Rather than spending millions of dollars to resolve a violation, have your company utilize proper HIPAA compliant solutions at a fraction of the cost. Your organization’s wallet will thank you.

Try Paubox Email Suite for FREE today.
Author Photo

About the author

Arianna Etemadieh

Arianna is an Inbound Marketing Specialist at Paubox. In her free time, she enjoys cooking, traveling, and volunteering at the animal shelter.

Read more by Arianna Etemadieh

Get started with
end-to-end protection

Bolster your organization’s security with healthcare’s most trusted HIPAA compliant email solution

The #1-rated email encryption 
and security software on G2

G2 Badge: Email Encryption Leader Fall 2022
G2 Badge: Security Best Usability Fall 2022
G2 Badge: Encryption Momentum Leader Fall 2022
G2 Badge: Security Best Relationship Fall 2022
G2 Badge: Security Users Most Likely to Recommend Fall 2022
G2 Badge: Email Gateway Best Relationship Fall 2022
G2 Badge: Email Gateway Best Meets Requirements Fall 2022
G2 Badge - Users Most Likely to Recommend Summer 2022
G2 Badge: Email Gateway Best Results Fall 2022
G2 Badge: Email Gateway Best Usability Fall 2022
G2 Badge: Email Gateway Best Support Fall 2022
G2 Badge: Email Gateway Easiest To Use Fall 2022
G2 Badge: Email Gateway Easiest Setup Fall 2022
G2 Badge: Email Gateway Easiest Admin Fall 2022
G2 Badge: Email Gateway Easiest to do Business with Fall 2022
G2 Badge: Email Gateway Highest User Adoption 2022
G2 Badge: Email Gateway High Performer Fall 2022
G2 Badge: Email Gateway Momentum Leader Fall 2022
G2 Badge: Email Gateway Most Implementable Fall 2022
G2 Badge: Email Gateway Users Most Likely to Recommend Fall 2022