A review determined that the kidney, cardiac, and urgent care specialists failed on several occasions to heed HIPAA's risk analysis and management rules, HHS says.
Fresenius Medical Care North America will pay $3.5 million to the federal government and adopt corrective actions to address five separate data breaches, the Department of Health and Human Services announced Thursday.
HHS's Office of Civil Rights said their investigation showed that Fresenius failed to conduct an accurate and thorough analysis of risks and vulnerabilities to the confidentiality, integrity, and availability of all of its electronic medical records.
As a result of those procedural failures, HHS said, the Fresenius facilities improperly disclosed the electronic medical records of patients by providing unauthorized access, which is a violation of the privacy provisions of the Health Insurance Portability and Accountability Act.
Fresenius on Thursday issued the following statement: "We take the protection of our patients’ health information very seriously. It is a top priority for our company and a critical issue facing the entire healthcare industry."
"We recently entered into a settlement agreement with the U.S. Department of Health & Human Services Office for Civil Rights to informally resolve alleged HIPAA violations stemming from incidents that occurred in 2012, most of which involved theft of company computers and equipment."
"The settlement is not an admission that we violated HIPAA, and there is no evidence that any of our patients' health information was improperly accessed or misused. We have and will continue to take additional steps to protect patient data. We strive to enhance security, better train staff and reduce incidence of equipment theft.”
The breaches occurred between February and July of 2012 and were reported to HHS by Fresenius in January 2013.
The affected facilities are as follows:
- Fresenius Medical Care Duval Facility in Jacksonville, FL, which failed to implement procedures to prevent unauthorized access, tampering, and theft;
- Fresenius Medical Care Magnolia Grove in Semmes, AL which failed to properly oversee the receipt and removal of hardware and electronic media that contained patient information;
- Fresenius Medical Care Ak-Chin in Maricopa, AZ, which failed to implement procedures to address security breaches;
- Fresenius Vascular Care Augusta, (GA), which failed to implement safeguards against unauthorized access, tampering, and theft.
- Fresenius Medical Care Blue Island (IL) Dialysis, which failed to implement safeguards against unauthorized access, tampering, and theft.
Fresenius’ Magnolia Grove and Augusta clinics also failed to install a mechanism to encrypt and decrypt electronic patient records, HHS said.
In addition to a $3.5 million fine, Fresenius will submit a corrective action plan that: addresses risk analysis and risk management; revises policies and procedures on device, media and facility access controls; develops an encryption report; and educates staff on policies and procedures, HHS said.
Fresenius provides kidney dialysis services for more than 170,000 patients in several states. Fresenius employs more than 60,000 people, with a care network that includes dialysis clinics, outpatient cardiac and vascular labs, urgent care centers, and hospitalist and post-acute providers.
John Commins is the news editor for HealthLeaders.