Waltham, Mass.-based Fresenius Medical Care North America will pay HHS' Office for Civil Rights $3.5 million to settle allegations it violated HIPAA rules in 2013. As part of the settlement, the organization also agreed to adopt a comprehensive corrective action plan.
FMCNA provides products and services to people with chronic kidney failure. The entity serves over 170,000 patients in its network of dialysis facilities, outpatient cardiac and vascular labs, and urgent care centers, as well as hospitalist and post-acute providers.
FMCNA filed five breach reports in January 2013 for separate incidents occurring between February 2012 and July 2012. The incidents, which compromised patients' electronic protected health information, each occurred at different FMNCA locations throughout the U.S.
HHS' OCR investigated the reports, and it found the five FMCNA covered entities failed to conduct an accurate risk analysis of potential risks and vulnerabilities to the confidentiality, integrity and availability of its ePHI.
"The number of breaches, involving a variety of locations and vulnerabilities, highlights why there is no substitute for an enterprise-wide risk analysis for a covered entity," said OCR Director Roger Severino. "Covered entities must take a thorough look at their internal policies and procedures to ensure they are protecting their patients' health information in accordance with the law."