Failure to Perform a Risk Analysis

Kidney Failure Service Provider Settles for $3.5 Million

Failure to Perform a Risk Analysis Fresenius Medical Care North America (FMCNA) agreed to pay a $3.5 million fee to the U.S. Department of Health and Human Services Office for Civil Rights to settle potential HIPAA violations.

EPHI Breaches

The potential violations stemmed from five EPHI breaches at five separate FMCNA owned covered entities. The investigation uncovered FMCNA’s failure to perform the necessary risk analyses at each of the five locations.

Settle Potential HIPAA Violations

In addition to the $3.5 million settlement FMCNA was ordered to:

  • complete a risk analysis and risk management plan,
  • revise policies and procedures on device and media controls as well as facility access controls,
  • develop an encryption report,
  • and educate its workforce members on its policies and procedures.

This is an excellent reminder that the risk analysis must be performed, used to address gaps, and updated on a regular basis.

See more from HHS