Kidney Failure Service Provider Settles for $3.5 Million
Failure to perform a risk analysis has led to a finding against Fresenius Medical Care North America (FMCNA) who has agreed to pay a $3.5 million fee to the U.S. Department of Health and Human Services Office for Civil Rights to settle potential HIPAA violations. Consequently, this resulted in a classic example of what can go wrong.
The potential violations stemmed from five EPHI breaches at five separate FMCNA owned covered entities. As a result, the investigation uncovered FMCNA’s failure to perform a risk analysis at each of the five locations. OCR’s investigation revealed FMCNA covered entities failed to conduct an accurate and thorough risk analysis. Consequently, they did not address potential risks and vulnerabilities to the confidentiality, integrity, and availability of all of its ePHI.
Settle Potential HIPAA Violations
In addition to the $3.5 million settlement the OCR ordered FMCNA to:
- complete a risk analysis and risk management plan,
- revise policies and procedures on device and media controls as well as facility access controls,
- develop an encryption report,
- and educate its workforce members on its policies and procedures.
Failure to Perform a Risk Analysis
“The number of breaches, involving a variety of locations and vulnerabilities, highlights why there is no substitute for an enterprise-wide risk analysis for a covered entity,” said OCR Director Roger Severino. “Covered entities must take a thorough look at their internal policies and procedures to ensure they are protecting their patients’ health information in accordance with the law.”
Certainly, this is a good example for compliant organizations as it clearly shows the risk one takes when not following the guidelines set in the HIPAA rule. Most importantly, this is an excellent reminder that the failure to perform a risk analysis can incur major penalties. Above all the Risk Analysis must be performed, used to address gaps, and updated on a regular basis.