[00:00.0 - 00:07.8] Fresenius Medical Care North America, FMCNA, has agreed to pay $3.5 million to the U.S. [00:07.8 - 00:14.3] Department of Health and Human Services, HHS Office for Civil Rights and OCR, and to adopt [00:14.3 - 00:19.2] a comprehensive corrective action plan in order to settle potential violations of the [00:19.2 - 00:24.8] Health Insurance Portability and Accountability Act, HIPAA, privacy and security rules. [00:25.4 - 00:30.9] FMCNA is a provider of products and services for people with chronic kidney failure with [00:30.9 - 00:38.6] over 60,000 employees that serves over 170,000 patients.
FMCNA's network is comprised of [00:38.6 - 00:44.9] dialysis facilities, outpatient cardiac and vascular labs, and urgent care centers, [00:44.9 - 00:52.6] as well as hospitalist and post-acute providers. On January 21, 2013, FMCNA filed five separate [00:52.6 - 00:59.4] breach reports for separate incidents occurring between February 23, 2012 and July 18, 2012, [00:59.4 - 01:06.2] implicating the Electronic Protected Health Information, EPHI, of five separate FMCNA-owned [01:06.2 - 01:12.5] covered entities, FMCNA covered entities. The five locations of the breaches were biomedical [01:12.5 - 01:18.5] applications of Florida, Inc., DBOA Fresenius Medical Care, Duval Facility in Jacksonville, [01:18.5 - 01:25.5] Florida, FMC Duval Facility, biomedical applications of Alabama, Inc., DBAA Fresenius [01:25.5 - 01:32.7] Medical Care, Magnolia Grove in Semis, Alabama, FMC Magnolia Grove Facility, Renal Dimensions, [01:32.7 - 01:40.5] LLC DBOA Fresenius Medical Care, Ak-Chin in Maricopa, Arizona, FMC Ak-Chin Facility, [01:40.6 - 01:47.3] Fresenius Vascular Care Augusta, LLC FVC Augusta, and WSKC Dialysis Services, [01:47.8 - 01:54.3] Inc., DBOA Fresenius Medical Care, Blue Us Island Dialysis, FMC Blue Island Facility.
[01:55.0 - 02:00.8] OCR's investigation revealed FMCNA covered entities failed to conduct an accurate and [02:00.8 - 02:05.9] thorough risk analysis of potential risks and vulnerabilities to the confidentiality, [02:05.9 - 02:13.0] integrity, and availability of all of its EPHI. The FMCNA covered entities impermissibly [02:13.0 - 02:19.3] disclosed the EPHI of patients by providing unauthorized access for a purpose not permitted [02:19.3 - 02:24.8] by the privacy rule. FMC Ak-Chin failed to implement policies and procedures to address [02:24.8 - 02:30.8] security incidents.
FMC Magnolia Grove failed to implement policies and procedures that govern the [02:30.8 - 02:36.9] receipt and removal of hardware and electronic media that contain EPHI into and out of a facility [02:37.4 - 02:42.6] and the movement of these items within the facility. FMC Duval and FMC Blue Island failed [02:42.6 - 02:47.9] to implement policies and procedures to safeguard their facilities and equipment therein from [02:47.9 - 02:53.9] unauthorized access, tampering, and theft when it was reasonable and appropriate to do so under the [02:53.9 - 03:01.3] circumstances. FMC Magnolia Grove and FVC Augusta failed to implement a mechanism to encrypt and [03:01.3 - 03:08.6] decrypt EPHI when it was reasonable and appropriate to do so under the circumstances.
The number of [03:08.6 - 03:13.4] breaches involving a variety of locations and vulnerabilities highlights why there is no [03:13.4 - 03:19.8] substitute for an enterprise-wide risk analysis for a covered entity, said OCR Director Roger Severino. [03:20.3 - 03:24.3] Covered entities must take a thorough look at their internal policies and procedures [03:24.3 - 03:28.3] to ensure they are protecting their patients' health information in accordance with the law. [03:29.0 - 03:36.0] In addition to a $3.5 million monetary settlement, a corrective action plan requires the FMCNA covered [03:36.0 - 03:42.3] entities to complete a risk analysis and risk management plan, revise policies and procedures [03:42.3 - 03:48.9] on device and media controls as well as facility access controls, develop an encryption report, [03:48.9 - 03:54.2] and educate its workforce on policies and procedures.
The resolution agreement and [03:54.2 - 04:05.8] corrective action plan may be found on the OCR website attps.gov for professionals, [04:05.8 - 04:14.0] compliance enforcement agreements, fmcnaindex.gml. To learn more about health information, privacy [04:14.1 - 04:18.9] laws, and health information privacy rights, please visit www.downdowndepa.org to file a [04:18.9 - 04:24.1] complaint with OCR based on a violation of civil rights, conscience or religious freedom, [04:24.6 - 04:30.5] or health information privacy, visit us at 8-866-OCR-Complaints.
