$3.5 Million HIPAA Fine for Risk Management Failures
The most recent large-scale HIPAA fine is a cautionary tale for health care professionals of all varieties about the dangers of improper risk management.
On February 1, 2018 the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced a $3.5 million HIPAA settlement in order to settle numerous HIPAA violations uncovered during investigation.
OCR levies fines ranging from $100-$50,000 per incident, depending on the severity of the violation and the level of perceived negligence on the part of the organization being investigated.
The organization, called Fresenius Medical Care North America (FMCNA), is a provider of products and services in relation to renal and kidney failure. FMCNA reported give separate incidents in January of 2013 for breaches that had occurred between February and July of 2012. As per the HIPAA Breach Notification Rule, all breaches of protected health information (PHI) must be reported to OCR. Common examples of PHI include: names, addresses, phone numbers, health care data, insurance information, and Social Security numbers, to name a few. 2017 saw the first fine in the history of HIPAA enforcement for a violation of the breach notification rule.
These breaches were spread across five different branches of the FMCNA system. Over the course of their investigation, OCR determined that FMCNA failed to conduct the appropriate risk management in their locations in accordance with HIPAA regulatory requirements. Among the breaches uncovered, OCR found HIPAA violations including:
- Failure to conduct an adequate risk analysis, which is required to assess risk to PHI throughout a health care organization.
- Failure to implement HIPAA policies and procedures regarding access and removal of hardware that handles PHI. As per HIPAA regulation, access must be limited on a role-based need. Health care organizations also must have policies addressing the physical removal of devices that can access PHI off the premises of the entity’s practice.
- Failure to encrypt PHI. In many cases, HIPAA regulation requires organizations to keep any PHI stored in an electronic format to be encrypted at rest and in motion, in order to protect the security and integrity of the data.
- Providing unauthorized access to PHI, which has strict limitations as per the HIPAA Privacy Rule.
This massive HIPAA violation stresses the key importance that all health care practices need to place on HIPAA compliance. Having a thorough, effective, and up-to-date HIPAA compliance program is the only way to defend against mounting HIPAA violations and federal fines.