The dialysis company will also enter into an agreement with the agency to improve its patient privacy protocols.
Fresenius Medical Care North America, one of the largest dialysis providers in the country, has agreed to pay $3.5 million to the Department of Health and Human Services (HHS) Office of Civil Rights (OCR) after a series of data breaches that occurred in 2012. The company will also have to adopt a corrective action plan to bolster their patient privacy training and protocols.
The OCR enforces Health Insurance Portability and Accountability Act (HIPAA) rules that mandate penalties when patient health records are compromised. Fresenius reported the breaches, which occurred at 5 different clinics that it operated, in January 2013.
The breaches were unrelated to one another and all occurred in different states: The common thread was that they involved the theft or loss of computing devices that contained unencrypted electronic protected health information [ePHI].
One incident revolved around the loss of a hard drive that had been removed from the computer to be serviced: The employee immediately notified their Area Manager, but that person apparently failed to report the incident to the company’s corporate risk department.
At clinics in Florida and Illinois, desktops and laptops were stolen during break-ins, while employees at clinics in Alabama and Georgia had an unencrypted USB drive and laptop, respectively, stolen from their cars.
None of the thefts or losses individually compromised more than 245 patients’ protected health information, though missing devices contained ePHI like patient names, treatment information, social security numbers, and insurance information, which can be used to derive one’s social security number. In total about 520 patients had their information exposed in the incidents, which all occurred between February and June of 2012.
According to an HHS statement, “OCR’s investigation revealed [Fresenius] covered entities failed to conduct an accurate and thorough risk analysis of potential risks and vulnerabilities to the confidentiality, integrity, and availability of all of its ePHI.”
The $3.5 million penalty is in response to Fresenius facilities’ failure to properly report certain breaches, institute proper encryption measures, and secure their locations to prevent theft.
“The number of breaches, involving a variety of locations and vulnerabilities, highlights why there is no substitute for an enterprise-wide risk analysis for a covered entity,” OCR Director Roger Severino said in the statement. “Covered entities must take a thorough look at their internal policies and procedures to ensure they are protecting their patients’ health information in accordance with the law.”
Fresenius has agreed to enter into a corrective action plan with the agency, and must submit a methodology of their risk analysis within 2 weeks of the effective date. The plan will require annual reporting to the HHS, in addition to augmented health information privacy training, which must be approved by the agency.
The full settlement can be read here.