In 2018’s first HIPAA settlement, Fresenius Medical Care North America (FMCNA) agreed to pay a $3.5 million fine for HIPAA violations that resulted from data breaches that occurred in 2012.
A total of 525 patient records were exposed at five covered entities owned by FMCNA. The breaches resulted from thefts of two desktop computers, an unencrypted USB drive, an unencrypted laptop; a missing or stolen hard drive; and an office break-in in which three desktops and an encrypted laptop were stolen.
The Office for Civil Rights (OCR), the regulatory body charged with HIPAA enforcement, launched an investigation to determine whether the breaches resulted from failure to comply with HIPAA requirements.
OCR determined that FMCNA:
- Failed to conduct a HIPAA Risk Assessment
- Provided unauthorized access to patient records
- Failed to implement computer hardware security policies
- Failed to safeguard facilities
- Had no policies or procedures in place to address security breaches
Unfortunately, these five deficiencies are encountered daily by Smart Training compliance advisors when conducting compliance assessments, provided free-of-charge to TDA members. “These practice owners are playing Russian Roulette with their businesses by neglecting to incorporate simple safeguards,” said Lee Slaton, Smart Training’s vice president of healthcare.
HIPAA Journal noted the settlement “reflects the seriousness and extent of HIPAA violations,” and indicates “it is not the size of the breach that matters.” OCR is investigating smaller breaches, and when HIPAA rules are violated, covered entities can expect a substantial financial penalty.