Deeper Than the Headlines: Don’t Fail to Perform an Enterprise-Wide HIPAA Security Risk Analysis

Last month the OCR announced a $3.5 million settlement with Fresenius Medical Care North America (FMCNA). Why? The OCR cited that Fresenius “failed to heed HIPAA’s risk analysis and risk management rules.”

Fresenius provides products and services for people with chronic kidney failure. They employee over 60,000 people and serve more than 170,000 patients. Fresenius has dialysis facilities, outpatient cardiac and vascular labs, and urgent care centers, as well as hospitalist and post-acute providers.

OCR began their investigation after Fresenius reported five separate breach reports on January 21, 2013. The five reports represented breaches for separate incidents that occurred between February 23, 2012, and July 18, 2012, all involving electronic protected health information (ePHI) at five separate Fresenius entities.

According to the OCR press release, the five locations were:

  1. Bio-Medical Applications of Florida, Inc. d/b/a Fresenius Medical Care Duval Facility in Jacksonville, Florida (FMC Duval Facility)
  2. Bio-Medical Applications of Alabama, Inc. d/b/a Fresenius Medical Care Magnolia Grove in Semmes, Alabama (FMC Magnolia Grove Facility)
  3. Renal Dimensions, LLC d/b/a Fresenius Medical Care Ak-Chin in Maricopa, Arizona (FMC Ak-Chin Facility)
  4. Fresenius Vascular Care Augusta, LLC (FVC Augusta)
  5. WSKC Dialysis Services, Inc. d/b/a Fresenius Medical Care Blue Island Dialysis (FMC Blue Island Facility)

OCR’s investigation revealed that Fresenius’ covered entities “failed to conduct an accurate and thorough risk analysis of potential risks and vulnerabilities to the confidentiality, integrity, and availability of all of its ePHI.” And the Fresenius facilities “impermissibly disclosed the ePHI of patients by providing unauthorized access for a purpose not permitted by the Privacy Rule.”

OCR shared some further details about what they found at each of the facilities:

  • FMC Ak-Chin “failed to implement policies and procedures to address security incidents.”
  • FMC Magnolia Grove “failed to implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain ePHI into and out of a facility; and the movement of these items within the facility.”
  • FMC Duval and FMC Blue Island “failed to implement policies and procedures to safeguard their facilities and equipment therein from unauthorized access, tampering, and theft, when it was reasonable and appropriate to do so under the circumstances.”
  • FMC Magnolia Grove and FVC Augusta “failed to implement a mechanism to encrypt and decrypt ePHI, when it was reasonable and appropriate to do so under the circumstances.”

Regarding this settlement, OCR Director Roger Severino had some very clear and strong words about the importance of performing a HIPAA Security Risk Analysis. He said, “The number of breaches, involving a variety of locations and vulnerabilities, highlights why there is no substitute for an enterprise-wide risk analysis for a covered entity. Covered entities must take a thorough look at their internal policies and procedures to ensure they are protecting their patients’ health information in accordance with the law.”

And the $3.5 million settlement might not be the most expensive and difficult part of this story. In addition to the investigation and financial settlement that Fresenius underwent, they also agreed to a corrective action plan that requires Fresenius to complete a risk analysis and risk management plan, revise policies and procedures on device and media controls as well as facility access controls, develop an encryption report, and educate its workforce on policies and procedures. The 18-page resolution agreement and corrective action plan can be read in its entirety at https://www.hhs.gov/sites/default/files/fresenius-racap.pdf?language=en

Healthicity offers both “do-it-yourself” as well as consultant-guided risk analyses for entities seeking help with performing a HIPAA Security Risk Analysis. The Security Rule and OCR have provided very detailed, and often technical, guidance on what is expected regarding a risk analysis. If you need some help, please don’t hesitate to give us a call.

Questions or Comments?