Fresenius Medical Center North America (FMCNA) agreed to pay $3.5 million to the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) and adopt a two-year comprehensive corrective action plan to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA).

The no-fault resolution agreement states that FMCNA reported five separate incidents that occurred between February 23, 2012 and July 18, 2012 at five distinct FMCNA facilities (FMCNA Covered Entities).  FMCNA provides centralized corporate support to the FMCNA Covered Entities, including storing patient’s medical records, creating and disseminating HIPAA policies and procedures, and investigating the circumstances surrounding each breach reported to it by the FMCNA Covered Entities.

The following is a list of the FMCNA HIPAA breaches:

• Two desktop computers were stolen during a break-in at a FMCNA Covered Entity, one of which contained the electronic protected health information (ePHI) of 200 individuals.
• An unencrypted USB drive that contained the ePHI of 245 individuals was stolen from a workforce member’s car while it was parked in the lot at a FMCNA Covered Entity.
• The FMCNA compliance hotline received an anonymous report that a hard drive that contained the ePHI of 35 individuals from a desktop computer was missing. The workforce member whose hard drive was missing promptly notified the appropriate individual, however that individual failed to report the incident to the FMCNA Corporate Risk Management Department.
• A workforce member’s unencrypted laptop that contained the ePHI of 10 individuals was stolen from her car while parked overnight at her home, where it was stored in a bag with a list of her passwords.
• Three desktop computers and one encrypted laptop were stolen from a FMCNA Covered Entity. One of the computers contained the ePHI of 31 individuals.

The HHS corrective action plan requires the FMCNA Covered Entities to:

• Conduct a risk analysis.
• Develop and implement a risk management plan.
• Implement a process for evaluating environmental and operational changes.
• Develop an encryption report.
• Review and revise policies and procedures on device and media controls as well as facility access controls.
• Develop an enhanced privacy and security awareness-training program.

With this first major 2018 HIPAA settlement under its belt, OCR may be setting the tone for another very active enforcement year ahead. If you have any questions about this HIPAA settlement or HIPAA compliance more generally, please feel free to contact any member of Drinker Biddle’s Health Care Team.

The material contained in this communication is informational, general in nature and does not constitute legal advice. The material contained in this communication should not be relied upon or used without consulting a lawyer to consider your specific circumstances. This communication was published on the date specified and may not include any changes in the topics, laws, rules or regulations covered. Receipt of this communication does not establish an attorney-client relationship. In some jurisdictions, this communication may be considered attorney advertising.