A large health system will pay $3.5 million to settle allegations it violated HIPAA. The case illustrates the need for better risk analysis.

• The health system failed to conduct a risk analysis.

• The Office for Civil Rights is focusing less on disclosure and more on risk analysis.

• Risk assessments can be expensive, but can be performed internally.

A health system’s recent settlement with the government shows how providers still are dropping the ball on compliance issues that everyone should understand by now.

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced recently that Fresenius Medical Care North America (FMCNA) agreed to pay $3.5 million for HIPAA violations.

The violations at the heart of the case show how healthcare organizations still are not up to speed on the need for risk analysis, says Roy Wyman, JD, partner with the law firm of Nelson Mullins Riley & Scarborough in Nashville, TN. He recalls recent government research on HIPAA compliance that illustrated the shortcoming.

“A large proportion of the covered entities surveyed flunked it entirely, with a lot of them having done absolutely nothing in risk analysis,” he says. “You combine that with this settlement with Fresenius and you see that what really nailed them was not the disclosures, but the fact they had not done a risk assessment to figure out where the risks were.”

People get overwhelmed and don’t know where to start with a risk assessment, Wyman says.

“They’ll grab the low-hanging fruit with things like putting the privacy practices in place, but what they don’t realize is that there is this basic security requirement,” Wyman says. “Once OCR gets in the door, it’s the first thing they’re going to look for. It’s almost always overlooked — not just in small practices, but in hospitals and large entities. They’re missing this entirely.”

Assessment May Be Pricey

To be sure, conducting a proper risk assessment is no small endeavor. Wyman worked in the past with a large healthcare organization to conduct a full risk assessment and saw how much money and work it requires.

“For a big organization, you were talking about paying six figures for a firm to come in and do a full assessment, and then at the end of it they haven’t fixed anything. They’ve just told you what you need to do,” Wyman says. “You still aren’t compliant because you haven’t incorporated it into your risk management program.”

Companies with billions of dollars in revenue every year can afford to do that, Wyman says, but the typical physician practice or hospital relies on far less sophisticated measures for HIPAA compliance.

Covered entities can conduct a proper risk analysis internally, Wyman says, but most will require the guidance of an attorney specializing in HIPAA compliance.

Wyman notes that OCR’s enforcement has changed focus recently, no longer looking for breaches and looking more for failures to comply with essential components like the risk analysis.

“These days, they aren’t actually looking for harm,” Wyman says. “We’re seeing people hit with very large fines where no information was disclosed. Now with failure to have a risk assessment, it’s usually tag-along where there’s some small disclosure but they say that’s no big deal — but the failure to have a risk assessment is a big deal.”

CAP Also Required

In addition to the settlement, FMCNA also will adopt a comprehensive corrective action plan, OCR announced. FMCNA provides products and services for more than 170,00 patients with chronic kidney failure. On Jan. 21, 2013, FMCNA filed five separate breach reports for separate incidents occurring between Feb. 23, 2012, and July 18, 2012, implicating the electronic protected health information (ePHI) of five separate FMCNA-owned covered entities, according to the OCR report.

“OCR’s investigation revealed FMCNA covered entities failed to conduct an accurate and thorough risk analysis of potential risks and vulnerabilities to the confidentiality, integrity, and availability of all of its ePHI,” the report says. “The FMCNA covered entities impermissibly disclosed the ePHI of patients by providing unauthorized access for a purpose not permitted by the Privacy Rule.”

Various locations of FMCNA failed to implement policies and procedures to address security incidents; failed to implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain ePHI into and out of a facility, and the movement of these items within the facility; failed to implement policies and procedures to safeguard their facilities and equipment from unauthorized access, tampering, and theft when it was reasonable and appropriate to do so under the circumstances; and failed to implement a mechanism to encrypt and decrypt ePHI when it was reasonable and appropriate to do so under the circumstances.

“The number of breaches, involving a variety of locations and vulnerabilities, highlights why there is no substitute for an enterprisewide risk analysis for a covered entity,” OCR Director Roger Severino said in a statement announcing the settlement. “Covered entities must take a thorough look at their internal policies and procedures to ensure they are protecting their patients’ health information in accordance with the law.”

In addition to a $3.5 million monetary settlement, a corrective action plan requires the FMCNA covered entities to complete a risk analysis and risk management plan, revise policies and procedures on device and media controls as well as facility access controls, develop an encryption report, and educate its workforce on policies and procedures.

The resolution agreement and corrective action plan can be found on the Office for Civil Rights website at: http://bit.ly/2nwTvXi.


• Roy Wyman, Partner, Nelson Mullins, Nashville, TN. Phone: (615) 664-5362. Email: roy.wyman@nelsonmullins.com.