The Department of Health and Human Services’ Office for Civil Rights (OCR) announced the first case of HIPAA settlement for 2018. For multiple potential HIPAA violations, Fresenius Medical Care North America (FMCNA) agreed to pay a settlement amount of $3.5 million to OCR. The violations involved five separate data breaches that happened way back in 2012. The breached covered entities were owned by FMCNA and are as follows:
- Bio-Medical Applications of Florida, Inc. d/b/a Fresenius Medical Care Duval Facility in Jacksonville, Florida (FMC Duval)
- Bio-Medical Applications of Alabama, Inc. d/b/a Fresenius Medical Care Magnolia Grove in Semmes, Alabama (FMC Magnolia Grove)
- Renal Dimensions, LLC d/b/a Fresenius Medical Care Ak-Chin in Maricopa, Arizona (FMC Ak-Chin)
- Fresenius Vascular Care Augusta, LLC (FVC Augusta)
- WSKC Dialysis Services, Inc. d/b/a Fresenius Medical Care Blue Island Dialysis (FMC Blue Island)
The 5 security breaches occurred over a period of 4 months from February 23, 201 to July 18, 2012. The following details the incidents:
- Two desktop computers were stolen from FMC Duval on February 23, 2012 during a break-in. The computers stored the ePHI (Social Security numbers included) of 200 persons.
- An unencrypted USB drive was stolen from FMC Magnolia Grove on April 3, 2012. The USB contained the PHI (insurance account numbers included) of 245 persons.
- FMC Ak-Chin discovered on April 6, 2012 that a hard drive was missing. It was not in the computer that was taken out of service. The drive stored the PHI (Social Security numbers included) of 35 persons.
- An unencrypted laptop computer was stolen from an employee’s vehicle on June 16, 2012. The laptop contained the ePHI (insurance details included) of 10 patients. The employee’s list of passwords was also in the laptop bag.
- One encrypted laptop and three desktop computers were stolen from FMC Blue Island some time on June 17-18, 2012. One computer contained the PHI of 35 patients (Social Security numbers included).
OCR investigated the breaches to determine whether there were HIPAA compliance violations. OCR found that the covered entities failed in the following aspects:
- They did not conduct a comprehensive and accurate risk analysis. Hence there was failure in identifying potential risks to the confidentiality, integrity and availability of ePHI. OCR
- They impermissibly disclosed many patients’ ePHI by giving access to PHI that is not allowed under the HIPAA Privacy Rule.
- FMC Magnolia Grove did not implement the required policies and procedures when accepting and removing computer hardware and electronic storage devices with ePH from the facility.
- FMC Magnolia Grove and FVC Augusta did not encrypt their devices, which is essential to protecting ePHI against exposure.
- FMC Duval and FMC Blue did not sufficiently safeguard their facilities and computers
- FMC Ak-Chin did not have policies and procedures to address security breaches.
The $3.5 million penalty is one of the largest penalties ever issued by OCR for HIPAA Rules violations. Aside from the financial penalty, FMCNA need to implement a robust action plan to correct all its HIPAA non-compliance enumerated above and uphold the standards required by HIPAA.