$ 3.5 Million Dollar Fine for Fresenius Medical Care North America (FMCNA) to settle potential violations of the HIPAA Privacy and Security Rules for FIVE different breaches.

RISKAlert Report Updated: Feb 2, 2018

FMCNA, a German company with US Operations based in  Waltham, Massachusetts, has agreed to pay a hefty $ 3.5 million dollar fine that covers 5 separate HIPAA Violations.

FMCNA is a provider of products and services for people with chronic kidney failure with over 60,000 employees that serves over 170,000 patients. Their facilities include dialysis facilities, outpatient cardiac and vascular labs, and urgent care centers, as well as hospitals and post-acute care providers.

US Dept. of Health and Human Services said the company failed to heed HIPAA’s risk analysis and risk management rules. FMCNA is also required to adopt a Comprehensive Corrective Action Plan. DHHS’ Office of Civil Rights,(OCR) investigation into the data incidents found that FMCNA covered entities failed to conduct an accurate and thorough risk analysis of potential risks and vulnerabilities to the confidentiality, integrity, and availability of all of its ePHI.

The breaches spanned three states including Florida, Alabama, and Georgia. Each provider had specific
deficiencies and the Agreement calls out each deficiency by provider. You can read the entire Resolution Agreement at https://www.hhs.gov/sites/default/files/fresenius-racap.pdf.

Fresenius Medical Care’s corporate headquarters is in Bad Homburg, Germany. The North American headquarters is in Waltham, Massachusetts and the Asian-Pacific headquarters is located in Hong Kong.

LESSONS LEARNED:

1. All providers need to have a current Risk Analysis that identifies potential threats,
     analyzed solutions, and provides a concrete plan to fix any deficiencies. The Risk Analysis
     must adjust to new threats, such as Ransomware attacks.

2. Covered entities like FMCNA are responsible for all the providers in their network.

THANKS FOR READING THE RISKAlert Report©

For more information and more great content:
www.riskandsecurityllc.com or www.caroline-hamilton.com

For a no-cost subscription, write to caroline@riskandsecurityllc.com