Failure to perform a Security Risk Analysis and adopt a comprehensive corrective action plan resulted in a covered entity agreeing to pay $3.5 million to the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR).
According to OCR's announcement, Fresenius Medical Care North America (FMCNA) filed five separate breach reports on January 21, 2013 for separate incidents occurring between February 23, 2012 and July 18, 2012 implicating the electronic protected health information (ePHI) of five separate FMCNA owned covered entities.
Findings of OCR's investigation include:
- Failure to conduct an accurate and thorough risk analysis of potential risks and vulnerabilities to the confidentiality, integrity, and availability of all of its ePHI.
- Impermissible disclosure of the ePHI of patients by providing unauthorized access for a purpose not permitted by the Privacy Rule.
- Lack of implemented policies and procedures to address security incidents.
- Missing implemented policies and procedures that govern the receipt and removal of hardware and electronic media that contain ePHI into and out of a facility; and the movement of these items within the facility.
- Failure to implement policies and procedures to safeguard their facilities and equipment therein from unauthorized access, tampering, and theft, when it was reasonable and appropriate to do so under the circumstances.
- Did not implement a mechanism to encrypt and decrypt ePHI (or an equal alternative), when it was reasonable and appropriate to do so under the circumstances.
In addition to a $3.5 million monetary settlement, a corrective action plan requires the FMCNA covered entities to complete a risk analysis and risk management plan, revise policies and procedures on device and media controls as well as facility access controls, develop an encryption report, and educate its workforce on policies and procedures.
What can we learn from this announcement?
This settlement shows how important it is to have a complete compliance program in place that includes implemented HIPAA Privacy and HIPAA Security policies and procedures. Employees must be educated on these policies and procedures, and safeguards must be implemented. Additionally, performing a Security Risk Analysis and having a comprehensive risk management plan is not optional; it is a HIPAA requirement covered entities must heed.
Have questions about HIPAA requirements? We can help. You can send your questions to [email protected] or reach us by phone 855-427-0427.