- Fresenius Medical Care North America (FMCNA) recently agreed to a $3.5 million OCR settlement following allegations that it committed HIPAA violations on five different occasions at separate FMCNA covered entities.
FMCNA provides product and services for individuals with chronic kidney failure, and has a network including dialysis facilities, outpatient cardiac and vascular labs, urgent care centers, hospitalist, and post-acute providers.
FMCNA filed five separate breach reports on January 21, 2013, OCR explained in a statement. The incidents took place between February 23, 2012 and July 18, 2012, and involved various covered entities not having accurate and thorough risk analyses.
“The number of breaches, involving a variety of locations and vulnerabilities, highlights why there is no substitute for an enterprise-wide risk analysis for a covered entity,” OCR Director Roger Severino stated. “Covered entities must take a thorough look at their internal policies and procedures to ensure they are protecting their patients’ health information in accordance with the law.”
The FMCNA covered entities that reported an incident include the following:
- Bio-Medical Applications of Florida, Inc. d/b/a Fresenius Medical Care Duval Facility (FMC Duval)
- Bio-Medical Applications of Alabama, Inc. d/b/a Fresenius Medical Care Magnolia Grove (FMC Magnolia Grove)
- Renal Dimensions, LLC d/b/a Fresenius Medical Care Ak-Chin (FMC Ak-Chin)
- Fresenius Vascular Care Augusta, LLC (FVC Augusta)
- WSKC Dialysis Services, Inc. d/b/a Fresenius Medical Care Blue Island Dialysis (FMC Blue Island)
READ MORE: 5 Lessons Learned in OCR HIPAA Settlements
FMC Duval had two desktop computers stolen during a break in on February 23, 2012, according to the corrective action plan. The organization reported that one of the devices held the ePHI of 200 individuals. OCR found that FMC Duval “failed to implement policies and procedures to safeguard its facilities and the equipment therein from unauthorized access, tampering, and theft.”
FMC Magnolia Grove also experienced a theft, but reported that an unencrypted USB drive was stolen on April 3, 2012. The USB drive contained the ePHI of 245 individuals and was reportedly taken from a workforce member’s car.
“FMC Magnolia Grove failed to implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain ePHI into and out of a facility, and the movement of these items within the facility,” OCR wrote in the corrective action plan.
The third reported incident involved FMC Ak-Chin and took place on June 18, 2012. FMC Ak-Chin had a hard drive from a desktop computer go missing on Aril 6, 2012. While a workforce member reported the missing drive and notified the Area Manager, the Area Manager did not report the incident to the corporate risk management department, OCR noted.
The FVC Augusta breach also involved a stolen laptop. An unencrypted laptop was stolen from a workforce member’s car on June 16, 2012. The device was stored in a bag listed with the workforce member’s passwords.
OCR stated that FVC Augusta “failed to implement a mechanism to encrypt and decrypt ePHI” and did not have necessary policies and procedures in place to explain how certain functions must be performed. “The physical attributes of the surroundings of a specific workstation or class of workstation that can access ePHI” also needed to be specified in the organization’s policies and procedures.
FMC Blue Island had three desktop computers and one unencrypted laptop stolen on or around June 17 to 18, 2012. OCR found that the facility also “failed to implement policies and procedures to safeguard its facilities and the equipment therein from unauthorized access, tampering, and theft.”
In addition to paying the $3.5 million, FMCNA will need to adhere to a corrective action plan. The FMCNA covered entities must conduct an accurate and thorough risk analysis, develop and implement a risk management plan, implement a process for computing environmental and operational changes, and develop an encryption report.
Furthermore, all five covered entities need to review and revise their policies and procedures on device and media controls and on facility access controls.
“The policies shall identify criteria for the use of such Covered Electronic Media and procedures for obtaining authorization for the use of Covered Electronic Media that utilize the FMCNA Covered Entities’ ePHI systems,” OCR said. “The FMCNA Covered Entities shall develop a facility security plan that defines and documents the physical security controls to safeguard the facility or facilities and the equipment therein from unauthorized physical access, tampering, and theft.”
Finally, the covered entities will need to develop an enhanced privacy and security awareness training program. All workforce members who have access to PHI and ePHI must be properly trained on all HIPAA-related policies and procedures, OCR explained.
“The Training Program shall also include training on the new or revised Evaluation Process and all of the new or revised Device and Media Controls Policies and Procedures and Physical Access Policies and Procedures (collectively, the ‘Policies and Procedures), to the extent such new or revised Policies and Procedures are developed and existing policies and procedures are revised,” the agency stated.