Healthcare Breach

Episode 20: Know The Rules! Case Study: Healthcare Breach


What Happens After A Healthcare Breach …

These days the news is filled with story after story about another healthcare breach of electronic protected health information (ePHI). Over the last few weeks I shared with you the importance of securing PHI.

Not Doing Their HIPAA Risk Analysis Cost Them $3.5 Million

Last week, Fresenius Medical Care North America (FMCNA) agreed to pay $3.5 million to the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR), and to adopt a comprehensive corrective action plan in order to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules.

Why, You Ask?

Because on January 21, 2013, FMCNA filed five (5) separate breach reports for separate incidents occurring between February 23, 2012, and July 18, 2012, implicating the ePHI of five separate FMCNA owned Covered Entities (CEs).

Anytime a healthcare breach occurs this automatically sends an invitation to HHS for which they DO NOT have to RSVP. This is not a position you want to find yourself!

OCR’s Investigation

The investigation revealed FMCNA CEs failed to conduct an accurate and thorough risk analysis of potential risks and vulnerabilities to the confidentiality, integrity, and availability of all of its ePHI.

  1. The FMCNA CEs impermissibly disclosed the ePHI of patients by providing unauthorized access for a purpose not permitted by the Privacy Rule.
  2. FMC Ak-Chin failed to implement policies and procedures to address security incidents.
  3. FMC Magnolia Grove failed to implement policies and procedures that govern the receipt and removal of hardware and electronic media containing ePHI into and out of a facility; and the movement of these items within the facility.
  4. FMC Duval and FMC Blue Island failed to implement policies and procedures to safeguard their facilities and equipment therein from unauthorized access, tampering, and theft, when it was reasonable and appropriate to do so under the circumstances.
  5. FMC Magnolia Grove and FVC Augusta failed to implement a mechanism to encrypt and decrypt ePHI, when it was reasonable and appropriate to do so under the circumstances.

“The number of breaches, involving a variety of locations and vulnerabilities, highlights why there is no substitute for an enterprise-wide risk analysis for a covered entity,” said OCR Director Roger Severino. “CEs must take a thorough look at their internal policies and procedures to ensure they are protecting their patients’ health information in accordance with the law.”

Wait! There is more in store for FMCNA! In addition to a $3.5 million monetary settlement, a corrective action plan requires the FMCNA CEs to:

  1. Complete a risk analysis and risk management plan
  2. Revise policies and procedures on device and media controls as well as facility access controls
  3. Develop an encryption report
  4. Educate its workforce on policies and procedures

Covered Entities and Business Associates need to understand their patients are entrusting them with their most private and intimate details, they expect it to remain secure!

Don't Risk It

 

 

 

 

Don’t know where or how to start or update your HIPAA security compliance program? Let’s chat about your compliance program – schedule a call with HIPAA alli today!