Health IT

Five breaches equate to a $3.5M HIPAA settlement

Waltham, Massachusetts-based Fresenius Medical Care North America has agreed to pay $3.5 million to settle allegations of five HIPAA violations that occurred between February 23, 2012 and July 18, 2012.

HIPAA

What better way to kick off a new month than with a HIPAA fine?

On Thursday, the HHS Office for Civil Rights announced the first settlement of 2018.

Fresenius Medical Care North America has agreed to pay $3.5 million to settle potential HIPAA violations. The worst part is the background of the situation — FMCNA reported five (yes, five) separate breaches in 2012.

The Waltham, Massachusetts organization provides services for individuals with chronic kidney failure. It has various urgent care cents, dialysis facilities and outpatient cardiac and vascular labs.

In January 2013, FMCNA filed five reports for separate breach incidents, which occurred between February 23, 2012 and July 18, 2012.

Here are the locations that reported breaches and what happened at each one:

  • Two desktop computers were stolen from Bio-Medical Applications of Florida (d/b/a Fresenius Medical Care Duval Facility) during a break-in. One contained the ePHI of 200 patients.
  • In April 2012, an unencrypted USB drive was stolen from an employee’s car while it was in the parking lot of Bio-Medical Applications of Alabama (d/b/a Fresenius Medical Care Magnolia Grove). The flash drive included 245 individuals’ ePHI.
  • In June 2012, the FMCNA compliance line learned that a hard drive from a desktop computer, which had been taken out of service to be replaced, was missing from Renal Dimensions (d/b/a Fresenius Medical Care Ak-Chin) on April 6, 2012. Thirty-five individuals’ information was on the drive. Though the employee whose drive was gone notified the area manager, the manager didn’t report the situation to the corporate risk management department.
  • An employee of Fresenius Vascular Care Augusta left her unencrypted laptop in her car (parked at home) overnight. The laptop was in a bag with a list of the employee’s passwords. The computer, which contained the ePHI of 10 people, was stolen from the car.
  • Three desktop computers and one encrypted laptop were taken from WSKC Dialysis Services (d/b/a Fresenius Medical Care Blue Island Dialysis). One of the desktop computers included 31 individuals’ ePHI.

In addition to the $3.5 million fine, FMCNA has to implement a corrective action plan. It requires FMCNA covered entities to go through a risk analysis and risk management plan, create an encryption report, revise policies and educate its workforce.

In an emailed statement, FMCNA said:

We take the protection of our patients’ health information very seriously. It is a top priority for our company and a critical issue facing the entire healthcare industry. We recently entered into a settlement agreement with the US Department of Health & Human Services Office for Civil Rights to informally resolve alleged HIPAA violations stemming from incidents that occurred in 2012, most of which involved theft of company computers and equipment. The settlement is not an admission that we violated HIPAA, and there is no evidence that any of our patients’ health information was improperly accessed or misused. We have and will continue to take additional steps to protect patient data. We strive to enhance security, better train staff and reduce incidence of equipment theft.

David Holtzman, CynergisTek’s vice president of compliance strategies and a former senior advisor to OCR for health IT and the HIPAA Security Rule, said this settlement should serve as a “wake-up call” for healthcare organizations, particularly those that operate satellite locations.

“Here’s why: Reading between the lines of the information contained in the resolution agreement, it appears that Fresenius had a single corporate policy or set of policies setting standards for how their satellite dialysis centers were to implement safeguards as required under the security rule,” he said in a phone interview. “But what is equally apparent is that the satellite centers — at least these five satellite centers — had not implemented them.”

Holtzman added that the FMCNA corporate parent didn’t have an effective way to review how their satellite locations were implementing the rule.

Photo: Ildo Frazao, Getty Images

Shares1
Shares1