September 20, 2021

Volume XI, Number 263


September 17, 2021

Subscribe to Latest Legal News and Analysis

HHS announces $3.5 million HIPAA settlement with Fresenius resolving five breach reports

Fresenius Medical Care North America (FMCNA), a provider of products and services for people with chronic kidney failure, has agreed to pay $3.5 million to the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) and adopt a comprehensive corrective action plan to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules.

OCR’s investigation into five separate FMCNA-owned covered entities revealed what it determined to be a failure to conduct accurate and thorough risk analyses of potential risks and vulnerabilities to the confidentiality, integrity and availability of electronic protected health information (ePHI). The investigation found the FMCNA covered entities impermissibly disclosed the ePHI of some of their patients by providing unauthorized access for a purpose not permitted by the Privacy Rule.

The covered entities were also found to have failed to:

  • implement policies and procedures to address security incidents
  • implement policies and procedures to govern the receipt and removal of hardware and electronic media that contain ePHI within and outside of the facility
  • administer policies and procedures to safeguard their facilities and equipment from unauthorized access, tampering, and theft
  • execute a mechanism to encrypt and decrypt ePHI

“The number of breaches, involving a variety of locations and vulnerabilities, highlights why there is no substitute for an enterprise-wide risk analysis for a covered entity,” said OCR Director Roger Severino. “Covered entities must take a thorough look at their internal policies and procedures to ensure they are protecting their patients’ health information in accordance with the law.”

As a result of these violations, FMCNA will pay $3.5 million and must complete a risk analysis and risk management plan, revise policies and procedures on device and media controls as well as facility access controls, develop an encryption report, and educate its workforce on policies and procedures as a part of their corrective action plan.

The entire press release can be found here.

The resolution agreement and corrective action plan may be found on the OCR website here.

© 2021 Dinsmore & Shohl LLP. All rights reserved.National Law Review, Volume VIII, Number 33

About this Author

Jennifer Mitchell, health care practice group partner, Dinsmore Shohl, law firm,

Jennifer is a Partner in the Health Care Practice Group and leads the firm’s HIPAA Privacy and Security practice and initiatives. In her HIPAA practice, she works with clients to minimize the risk of privacy and data security issues, assisting with all aspects of HIPAA privacy and security compliance, governance, audits/investigations, breach analyses, training and strategic planning. She has a thorough understanding of federal and state privacy and confidentiality laws and has served as a health care privacy expert witness. 

Within the...

Sydney Pahren, Dinsmore Law Firm, Columbus, Corporate Law Attorney

Sydney is a member of Dinsmore’s Corporate Department, where she focuses her practice on health care law. 

She has experience researching legal issues in health care, litigation, labor & employment and corporate law. She is a graduate of The Ohio State University Moritz College of Law where she was an articles editor on the Ohio State Law Journal and an executive board member of the Black Law Students Association.