July 2, 2020

Volume X, Number 184

July 01, 2020

Subscribe to Latest Legal News and Analysis

June 30, 2020

Subscribe to Latest Legal News and Analysis

June 29, 2020

Subscribe to Latest Legal News and Analysis

February 2, 2018 - Health Care Group News: $3.5 M OCR Settlement for Five Breaches Affecting Fewer Than 500 Patients Each

Yesterday, OCR announced its $3.5 million settlement with Fresenius Medical Care Holdings (“Fresenius”) to resolve alleged HIPAA violations.  While the large settlement figure alone is eye-catching, the underlying facts require the complete attention of HIPAA covered entities.  OCR is sending a message about HIPAA Security Rule compliance.

Five Fresenius entities in five different states suffered five completely separate but relatively common breaches.  Each breach involved stolen or missing equipment.  No one breach involved records of more than 500 patients.  In fact, combined, the total number of patients impacted was 521.  As a reminder, the $5.5 million settlement this time last year with Memorial Health Care System involved the records of 115,143 individuals.

The five Fresenius breaches involved:

Breach 1:  two stolen desktop computers containing the ePHI of 200 patients.

Breach 2:  a stolen unencrypted USB drive containing the ePHI of 245 patients.

Breach 3:  a missing hard drive containing the ePHI of 35 patients.

Breach 4:  an unencrypted laptop stolen from a car containing the ePHI of 10 patients.

Breach 5:  a stolen desktop computer containing the ePHI of 31 patients.

These breaches occurred between February 2012 and June 2012 and Fresenius timely reported them on January 21, 2013.  Six months later, OCR launched an investigation.  Of the OCR’s seven findings, the most significant is the failure to conduct an accurate and thorough risk analysis under the HIPAA Security Rule.  Five of the remaining six findings also relate to alleged HIPAA Security Rule violations (e.g. the failure to implement policies and procedures or mechanisms to protect ePHI).

Important takeaways:  OCR reads breach reports involving breaches affecting fewer than 500 patients. The HIPAA Security Rule matters.  Do the risk analysis.  Have policies and procedures that comply with the HIPAA Security Rule.  Don’t wait. 

© Copyright 2020 Murtha CullinaNational Law Review, Volume VIII, Number 33


About this Author

Dena Castricone, Murtha Cullina Law Firm, Privacy and Cybersecurity Attorney

Dena M. Castricone is a member of the Long Term Care and Health Care practice groups.  She is the Chair of the Privacy and Cybersecurity practice group and the Chair of the firm’s Pro Bono Committee.  Prior to joining Murtha Cullina, Dena served as a law clerk to the Chief Justice of the Rhode Island Supreme Court, Frank J. Williams.

Dena’s long term care and health care clients compete in a constantly evolving industry, facing both rising administrative and regulatory burdens and shrinking reimbursement rates. She helps skilled nursing centers, physician groups, home health and...