Fresenius Medical Care North America (FMCNA) will pay $3.5 million to the U.S. Department of Health and Human Services (HHS) Office for Civil Rights to settle Health Insurance Portability and Accountability Act (HIPAA) violations. FMCNA also will adopt a “comprehensive corrective action plan,” according to an HHS press statement.

In 2013, FMCNA, a company that produces dialysis services and products, filed five breach reports. Each involved breaches of unsecured electronic protected health information (ePHI) occurring at FMCNA facilities over four months in 2012.

One case involved theft of two desktop computers containing 200 patients’ ePHI. Another breach occurred when an unencrypted USB drive containing 245 patients’ ePHI was stolen. In a third case, a hard drive containing 35 patients’ ePHI was replaced, but later discovered missing. Another case involved theft of an unencrypted laptop containing 10 patients’ ePHI. The fifth breach occurred when three desktop computers—one containing 31 patients’ ePHI—and one laptop were stolen.

An OCR compliance review was initiated soon after the FMCNA report showed that the company had failed to assess its potential HIPAA risks and vulnerabilities, safeguard its facilities, implement policies governing the removal of hardware from its facilities, and encrypt devices appropriately.

By agreeing to the settlement, FMCNA admitted no liability and all other potential claims against it by HHS were released.

No information related to this activity was on FMCNA’s compliance website at press time—only a document explaining basic privacy and security rules for its customers and patients.
 

Hospital Infection Control & Prevention

With infection prevention programs in the national spotlight like never before, award-winning Hospital Infection Control & Prevention (18 CE annually) is here to help. Each month, we’ll keep you up to speed with precise compliance information on the latest guidelines, accreditation standards, and state and federal regulations.