Earlier this month, the Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) announced a $3.5 million HIPAA settlement with Fresenius Medical Care North America (“Fresenius”), a company which focuses on delivering care to patients with renal and other chronic conditions. Fresenius provides centralized support to a network of Fresenius Covered Entities (“Fresenius Facilities”).
In 2013, Fresenius reported five separate breaches which occurred in between February 2012 and June 2012. All five breaches were the result of lost or stolen devices and ePHI not being encrypted. Device theft and unencrypted data are two of the biggest causes of HIPAA breaches.
In February, two desktop computers were stolen during a break in of one of the Fresenius Facilities. The computers contained the electronic protected health information (“ePHI”) of 200 individuals which included patient names, admissions dates, dates of service, dates of birth, and social security numbers.
In April, an unencrypted USB drive containing the ePHI of 245 individuals was stolen from the car of a workforce member.
On June 16, a workforce member had an unencrypted laptop stolen from the car of the workforce member when the laptop was left in the car overnight. The workforce member had a list of her passwords stored in the bag along with the laptop.
On June 17-18, 3 desktop computers and an encrypted laptop were stolen from one of Fresenius’ Facilities.
On June 18, a hard drive was reported missing to Fresenius’ compliance line after a desktop computer had been taken out of service to be replaced. While the workforce member did promptly notify the Area Manager of this, the Area Manager failed to report the incident to Fresenius’ Corporate Risk Management Department.
Only 521 individuals were impacted by all five breaches. However, OCR found that the Fresenius Facilities failed to conduct accurate and thorough risk analyses and that they failed to implement appropriate policies and procedures for the encryption of PHI or protection devices from theft.
In his announcement of the settlement, the director of OCR, Roger Severino, stated that “[c]overed entities must take a thorough look at their internal policies and procedures to ensure they are protecting their patients’ health information in accordance with the law,” and that “there is no substitute for an enterprise-wide risk analysis for a covered entity.”
Fresenius must enter into a two-year Corrective Action Plan with OCR in addition to the $3.5 million fine. The Corrective Action Plan will require that the Fresenius Facilities will conduct risk analyses, develop and implement risk management plans, review and revise policies pertaining to device and media controls, review and revise policies pertaining to facility access controls, implement process for evaluating changes that affect the security of ePHI, develop and submit to HHS an encryption report, and develop an enhanced privacy and security awareness training program. The Fresenius Facilities will be required to submit reports annually to HHS on their training program and compliance with the Corrective Action Plan and can face civil monetary penalties for non-compliance with the plan.
This settlement highlights several important things. First, it is critical to have effective policies and procedures and to ensure that they are updated in accordance with any changes to your organization. Second, you should be conducting thorough risk analyses that identify potential security risk and areas of vulnerability of your PHI and ePHI. Finally, you should ensure that workforce members who have access to PHI and ePHI are aware of your HIPAA policies and procedures, receive regular training on them, and are required to follow them.
If you have any questions about this Legal Briefing, please contact any attorney of our Firm at 585-730-4773. Please note that any embedded links to other documents may expire in the future.
This Legal Briefing is intended for general informational and educational purposes only and should not be considered legal advice or counsel. The substance of this Legal Briefing is not intended to cover all legal issues or developments regarding the matter. Please consult with an attorney to ascertain how these new developments may relate to you or your business. © 2018 Law Offices of Pullano & Farrow PLLC