Late last week, Fresenius Medical Care (FMC), a dialysis provider with nationwide coverage that also operates a number of urgent care centers and labs, settled with the Department of Health and Human Services Office of Civil Rights (OCR) over a number of alleged patient privacy breaches that occurred in 2012. In addition to a payment of $3.5 million to OCR, the company must adopt and implement a corrective action plan that includes both a risk analysis and risk management plan, and the implementation of more effective policies on device and media controls, encryption, and facility access.

FMC disclosed five separate breaches of electronic protected health information (ePHI) in reports filed in January 2013. The breaches occurred in separate incidents across five states and included:

  • Jacksonville, Florida – two desktop computers stolen during a break-in, one of which contained the ePHI of 200 patients.
  • Maricopa, Arizona – the ePHI of 35 patients was on the hard drive of a desktop computer taken out of service and removed from the facility. The incident was not reported to the corporate risk manager.
  • Augusta, Georgia – a laptop and list of passwords left in an employee’s personal vehicle was stolen while parked overnight at the employee’s home. The laptop contained the ePHI of 10 patients.
  • Semmes, Alabama – an unencrypted USB drive was stolen from an employee’s vehicle while it was parked at the facility parking lot. The USB contained the ePHI of 245 persons.
  • Blue Island, Illinois – three desktops and one laptop computer were stolen from the facility. One of the computers contained ePHI for 31 individuals.

“The number of breaches, involving a variety of locations and vulnerabilities, highlights why there is no substitute for an enterprise-wide risk analysis for a covered entity,” said OCR Director Roger Severino in a press release. “Covered entities must take a thorough look at their internal policies and procedures to ensure they are protecting their patients’ health information in accordance with the law.”

The Health Care and Pharmacy team at FisherBroyles conducts risk assessments and formulates risk management plans to ensure compliance with all state and federal ePHI requirements. We welcome your questions on ePHI and all other issues of federal and state health care law compliance. Please contact any of the following attorneys:

Brian Dickerson, FisherBroyles Partner
Brian E. Dickerson

Anthony Calamunci, FisherBroyles Partner
Anthony Calamunci

Nicole Waid, FisherBroyles Partner
Nicole Hughes Waid

Amy Butler, FisherBroyles Partner
Amy Butler

Katy Wane, FisherBroyles Partner
Katy Wane