HIPAA Privacy & Security Updates—From Dorothy Cociu, COIN Editor, and HIPAA Privacy & Security Consultant & Trainer, President, Advanced Benefit Consulting & Insurance Services, Inc.
March-April, 2018
On February 1, 2018, HHS/OCR announced that Five Breaches add up to millions in settlement costs for an entity that failed to heed HIPAA Risk Analysis Management Rules.
Fresenius Medical Care North America (FMCNA) has agreed to pay $3.5 million to the US Department of Health & Human Services (HHS) Office of Civil Rights, and to adopt a comprehensive corrective action plan, in order to settle potential violations of the HIPAA Privacy & Security Rules. FMCNA is a provider of products and services for people with chronic kidney failure with over 60,000 employees that serves over 170,000 patients. FMCNA’s network is comprised of dialysis facilities, outpatient cardiac and vascular labs, and urgent care centers, as well as hospitalist and post-cute providers.
On January 21, 2013, FMCNA filed separate breach reports for separate incidents occurring between February 23, 2012 and July 18, 2012, implicating the electronic protected health information (ePHI) of five separate FMCNA owned covered entities.
The five locations of the breaches were Bio-Medical Applications of Florida, DBA Fresenius Medical Care Duval Facility in Jacksonville, Florida (FMC Duval Facility); Bio-Medical Applications of Alabama, Inc., DBA Fresenius Medical Care Magnolia Grove in Semmes, Alabama (FMC Magnolia Grove Facility); Renal Dimensions, LLC , DBA Fresenius Medical Care Ak-Chin Facility in Maricopa, Arizona (FMC Ak-Chin Facility); Fresenius Vascular Care Augusta, LLC (FVC Augusta); and WSKC Dialysis Services, Inc., DBA Fresenius Medical Care Blue Island Dialysis (FMC Blue Island Facility).
OCR’s investigation revealed FMCNA covered entities failed to conduct an accurate and thorough risk analysis of potential risks and vulnerabilities to the confidentiality, integrity and availability of all of its ePHI.
The FMCNA covered entities impermissibly disclosed the ePHI of patients by providing unauthorized access for a purpose not permitted by the Privacy Rule. FMC Ak-Chin failed to implement policies and procedures to address security incidents. FMC Duval and FMC Blue Island failed to implement policies and procedures to safeguard their facilities and equipment therein from unauthorized access, tampering, and theft, when it was reasonable and appropriate to do so under the circumstances.
In addition to the $3.5 million monetary settlement, a corrective action plan requires FMCNA covered entities to complete a risk analysis and risk management plan, revise policies and procedures on device and media controls, as well as facility access controls, develop an encryption report, and educate its workforce on policies and procedures.
On February 13, 2018, HHS/OCR reported that Consequences for HIPAA Violations do not stop when a business closes.
A receiver appointed to liquidate the assets of Filefax, Inc. has agreed to pay $100,000 out of the receivership estate to the US Department of Health & Human Services (HHS) Office of Civil Rights in order to settle potential violations of the HIPAA Privacy Rule. Filefax, located in Northbrook, Illinois, advertised that it provided for the storage, maintenance, and delivery of medical records for covered entities. Although Filefax shut its doors during the course of OCR’s investigation into alleged HIPAA violations, it could not escape its obligations under the law.
On February 10, 2015, OCR received an anonymous complaint alleging that an individual transported medical records obtained from Filefax to a shredding and recycling facility to sell on February 6 and February 9, 2015. OCR opened an investigation, which confirmed that an individual had left medical records of approximately 2,150 patients at the shredding and recycling facility, and that these medical records contained patients’ PHI.
OCR’s investigation indicated that between January 28, 2015 and February 14, 2015, Filefax impermissibly disclosed the PHI of 2,150 individuals by leaving the PHI in an unlockd trunk in the Filefax parking lot, or by granting permission to an unauthorized person to remove the PHI from Filefax, and leaving the PHI unsecured outside the Filefax facility.
Filefax is no longer in business. In 2016, a court in unrelated litigation appointed a receiver to liquidate its assets for distribution to creditors and others. In addition to $100,000 monetary settlement, the receiver has agreed, on behalf of Filefax, to properly store and dispose of remaining medical records found at Filefax’s facility in compliance with HIPAA. ##
Source: HHS Office for Civil Rights in Action, February 1, 2018, Five breaches add up to millions in settlement costs for entity that failed to heed HIPAA’s risk analysis and risk management rules, OCR HIPAA Privacy Rule Information Distribution.