The Office of Civil Rights (OCR) of the Department of Health and Human Services (HHS) has announced its first settlement of a HIPAA breach in 2018. The settlement arose from five separate breaches by five different entities owned by Fresenius Medical Care, a large provider of kidney dialysis and other medical services. The breaches involved stolen computers, a stolen USB drive, and a missing hard drive, all occurring within a five-month span in 2012.

In its compliance review, OCR found:

  • A failure to conduct an accurate and thorough assessment of security risks and vulnerabilities
  • Unauthorized access to electronic protected health information (PHI) for impermissible purposes
  • A failure to implement policies and procedures for the handling of hardware that contains electronic PHI and various other security protocols
  • A failure to implement policies and procedures to address security incidents
  • A failure to implement a mechanism to encrypt and decrypt electronic PHI.

The settlement agreement requires Fresenius to pay $3.5 million and to implement a corrective action plan that addresses risk analysis and management, the revision of a wide range of policies and procedures, and workforce training. Each of these measures is to be conducted under the close supervision of HHS. Many of Fresenius’s actions will be subject to HHS approval, Fresenius will be required to complete its risk analysis and implement measures within specified time frames, and it will be required to report to HHS annually about its training program.

This announcement marks a continuation of OCR’s increased enforcement efforts that have led to numerous settlements over the past few years. The settlement demonstrates how OCR investigations will look past the breaches themselves and focus on the measures that covered entities and business associates ought to take under HIPAA to prevent (or at least minimize the risk of) those breaches.