The Office for Civil Rights published a press release detailing the information on a $3.5 million HIPAA settlement and what led up to this settlement.
On February 1, the news came out about Fresenius Medical Care North America (FMCNA) agreeing to pay a $3.5 million HIPAA settlement. FMCNA helps many patients dealing with chronic kidney failure and has more than 170,000 patients.
In January 2013, FMCNA reported five separate security incidents that had occurred in 2012.
Remember, for breaches affecting fewer than 500 patients, the covered entity can report those breaches all at one time with the cutoff date usually being around March of the next year.
From the investigation into the five incidents, the OCR discovered that multiple of FMCNA’s covered entities “failed to conduct an accurate and thorough risk analysis of potential risks and vulnerabilities to the confidentiality, integrity, and availability of all of its ePHI.”
The press release also broke down more information on the specific policies and procedures that were missing, and in some cases, the safeguards that were missing. Some of the missing safeguards included not implementing encryption mechanisms. While encryption is an addressable standard for HIPAA compliance, it appears that the OCR is expecting organizations to use it unless there is a clear reason to not implement encryption of electronic protected health information (ePH).
Additionally, OCR Director Roger Severino stated that the “number of breaches, involving a variety of locations and vulnerabilities, highlights why there is no substitute for an enterprise-wide risk analysis for a covered entity.”
This is a perfect example of how the small breaches that aren’t reported to the media can add up. There isn’t much information on how many patients were involved in each incident so the number could range from 5 to 2,495 patients. $3.5 million is a lot of money to pay out for so few patients affected. How many patients does your health care organization service? Are you meeting HIPAA standards to protect your organization from potentially bankrupting fines?
To help protect your organization against this type of HIPAA settlement, join HIPAAgps today.
Recent Comments