Fresenius Medical Care North America (FMCNA) has agreed to pay $3.5 million to settle potential HIPAA violations relating to the impermissible disclosure of electronic protected health information (ePHI), marking the first HIPAA settlement of 2018. The U.S. Department of Health and Human Services (HHS) announced the settlement on February 1.HHS’s Office for Civil Rights (OCR) initiated its investigation of FMCNA, a provider of products and services for people with chronic kidney failure, after FMCNA submitted five separate breach reports in January 2013 for separate incidents in 2012. OCR’s investigation revealed that the FMCNA covered entities failed to conduct an adequate risk analysis of potential risks and vulnerabilities to the confidentiality, integrity, and availability of their ePHI. The allegations against FMCNA also included failure to implement policies and procedures to safeguard facilities and equipment from unauthorized access, failure to encrypt and decrypt ePHI, and failure to adequately address security incidents.
As part of the settlement, FMCNA has entered into a corrective action plan that requires it to complete a risk analysis and risk management plan, revise its policies and procedures, develop an encryption report, and educate its workforce.