OCR Kick Starts 2018 with Severe $3.5 Million HIPAA Settlement and Corrective Action Plan
Thursday, February 8, 2018
HIPAA, OCR
Print Mail Download i

Fresenius Medical Center North America (FMCNA) agreed to pay $3.5 million to the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) and adopt a two-year comprehensive corrective action plan to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA).

The no-fault resolution agreement states that FMCNA reported five separate incidents that occurred between February 23, 2012 and July 18, 2012 at five distinct FMCNA facilities (FMCNA Covered Entities).  FMCNA provides centralized corporate support to the FMCNA Covered Entities, including storing patient’s medical records, creating and disseminating HIPAA policies and procedures, and investigating the circumstances surrounding each breach reported to it by the FMCNA Covered Entities.  The following is a list of the FMCNA HIPAA breaches:

  • Two desktop computers were stolen during a break-in at a FMCNA Covered Entity, one of which contained the electronic protected health information (ePHI) of 200 individuals.

  • An unencrypted USB drive that contained the ePHI of 245 individuals was stolen from a workforce member’s car while it was parked in the lot at a FMCNA Covered Entity.

  • The FMCNA compliance hotline received an anonymous report that a hard drive that contained the ePHI of 35 individuals from a desktop computer was missing. The workforce member whose hard drive was missing promptly notified the appropriate individual, however that individual failed to report the incident to the FMCNA Corporate Risk Management Department.

  • A workforce member’s unencrypted laptop that contained the ePHI of 10 individuals was stolen from her car while parked overnight at her home, where it was stored in a bag with a list of her passwords.

  • Three desktop computers and one encrypted laptop were stolen from a FMCNA Covered Entity. One of the computers contained the ePHI of 31 individuals.

The HHS corrective action plan requires the FMCNA Covered Entities to:

  • Conduct a risk analysis.

  • Develop and implement a risk management plan.

  • Implement a process for evaluating environmental and operational changes.

  • Develop an encryption report.

  • Review and revise policies and procedures on device and media controls as well as facility access controls.

  • Develop an enhanced privacy and security awareness-training program.

© 2024 Faegre Drinker Biddle & Reath LLP. All Rights Reserved.

Current Legal Analysis

More from Faegre Drinker

SCOTUS Denies Certiorari in Cases Concerning FCA Liability Requirement, Objective Falsity Circuit Split Remains Intact
by: Commercial Litigation Practice Group
Groundbreaking Fourth Circuit Decision Upholds Private Plaintiff’s Successful Effort to Unwind a Consummated Merger
by: Kathy L. Osborn , Emily E. Chow
Travel Bans and Quarantine Hotels: Traveling to the U.K. During COVID-19
by: Hodon Anastasi
TCPA Plaintiff Argues he wasn’t Injured in Attempt to Dodge Federal Jurisdiction
by: Marsha J. Indych , Renée M. Dudek
Silver Lining: COVID-19 Engagements Allow More Time for Premarital Financial Planning
by: Jaime A. Quick
Biden EPA Makes First Moves to Address PFAS in Drinking Water
by: Bonnie Allyn Barnett , Brandon W. Kirkham
Predicting the Enforcement Priorities of the Biden DOJ
by: Thomas J. Kelly , Daniel E. Pulliam
New York City Council Imposes Stricter Discipline Requirements on Fast Food Employers
by: Gerald T. Hathaway
Disclosure of Binding Arbitration Not Required In Consumer Warranties, Says Florida Supreme Court
by: Traci T. McKee , Lexi C. Fuson
FCC Order Causes Confusion Regarding Consent Required for Informational Calls to Residential Landlines
by: Matthew M. Morrissey

Upcoming Legal Education Events

 

NLR Logo

We collaborate with the world's leading lawyers to deliver news tailored for you. Sign Up to receive our free e-Newsbulletins

 

Sign Up for e-NewsBulletins