Advertising Disclosure Email Disclosure

Legal Updates for Privacy and Data Security

February 6, 2018
Presented by the Privacy and Data Security Practice Group

OCR Announces $3.5 Million Settlement With a Medical Provider for Five Separate Data Breaches

By David J. Shannon, Esquire

Fresenius Medical Care North America (FMCNA) and the Office of Civil Rights (OCR) have entered into a $3.5 Million settlement agreement to resolve five separate data breaches that occurred over a five-month period in 2012. FMCNA must also adopt a comprehensive corrective action plan to resolve the alleged HIPAA violations. FMCNA provides products and services for patients with chronic kidney failure and has over 60,000 employees and serves more than 170,000 patients. 

In January 2013, FMCNA advised the OCR of five separate breaches that occurred at their facilities in 2012. The OCR's investigation revealed that FMCNA had failed to comply with HIPAA and failed to conduct a proper risk analysis of the potential risks and vulnerabilities to its patients' electronic Protected Health Information (ePHI). Numerous disclosures of ePHI occurred by way of unauthorized access for purposes not permitted by HIPAA's Privacy Rule. The failures occurred at multiple FMCNA sites and facilities. An OCR director was quoted as saying that the number of breaches, involving a wide variety of locations and vulnerabilities, highlights why there is no substitute for an enterprise-risk analysis for a covered entity.     

This settlement reinforces the need for all covered entities to have proper HIPAA compliant policies and procedures that should be reviewed on a regular basis. FMCNA is now paying a multi-million dollar fine as well as enacting the numerous other corrective action plan requirements as a result of its failure to have proper policies in place.    

 

The material in this law alert has been prepared for our readers by Marshall Dennehey Warner Coleman & Goggin. It is solely intended to provide information on recent legal developments, and is not intended to provide legal advice for a specific situation or to create an attorney-client relationship. We welcome the opportunity to provide such legal assistance as you require on this and other subjects. To be removed from our list of subscribers who receive these complimentary Privacy and Data Security updates, please contact djshannon@mdwcg.com. If however you continue to receive the alerts in error, please send a note to djshannon@mdwcg.com

ATTORNEY ADVERTISING pursuant to New York RPC 7.1
© 2018 Marshall Dennehey Warner Coleman & Goggin. All Rights Reserved.

Affiliated Attorney

David J. Shannon
Chair, Privacy and Data Security
(215) 575-2615
djshannon@mdwcg.com

Practice Areas

Before you send this email please note:

You are attempting to send email, through a link on our website, to an attorney of Marshall Dennehey Warner Coleman & Goggin or an employee in our firm. Please note that your email may not be treated as confidential and does not create an attorney-client relationship. You should not rely upon the transmission of an email through this website if you are seeking to enter into such a relationship. Until such time as we have agreed to represent you, no information in your email will be treated as confidential. Please contact us directly by telephone at 1.800.220.3308 if it is your intent to seek legal counsel with our firm or convey confidential information.

If it is still your intent to send this email, knowing that it may not be treated as confidential, you may accept our terms of agreement by pressing "OK". If you choose not to accept these terms of agreement you may navigate away from this page by pressing "Cancel."