Clinic Operator Fresenius to Pay $3.5M for Health Privacy Breaches

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Daniel R. Stoller

Dialysis clinic operator Fresenius Medical Care has agreed to pay the Department of Health and Human Services $3.5 million to settle federal claims alleging lax data security practices led to five breaches of electronic protected health information, the agency said Feb 1.

The claims, brought under Health Insurance Portability and Accountability Act (HIPAA) rules, stem from breaches that occurred at Fresenius facilities in Alabama, Arizona, Florida, Georgia, and Illinois from Feb. 23-July 18, 2012.

Fresenius “failed to conduct an accurate and thorough risk analysis of potential risk and vulnerabilities to the confidentiality, integrity, and availability of all of its” protected health data at its locations, according to the announcement. The breaches led to the exposure of 521 patients’ health data, according to the settlement.

HHS has notified health-care providers, including those that collect and store sensitive electronic health data, that it will seek enforcement actions if they don’t have adequate cybersecurity risk analysis procedures and don’t do enough to protect patient data.

Fresenius agreed to complete a risk analysis and risk management plan, update facility access controls, develop an encryption report, and update employees on new policies and procedures, according to the settlement.

Fresenius, which didn’t admit fault in the settlement, agreed pay the penalty to the HHS Office for Civil Rights.

“The number of breaches, involving a variety of locations and vulnerabilities, highlights why there is no substitute for an enterprise-wide risk analysis for a covered entity,” HHS Office for Civil Rights Director Roger Severino said in a Feb. 1 statement. HIPAA-covered entities “must take a thorough look at their internal policies and procedures to ensure they are protecting their patients’ health information in accordance with the law,” he said.

Brad Puffer, Fresenius spokesman, told Bloomberg Law that the company takes patient data protection “very seriously.” The settlement isn’t an admission of any HIPAA violation, and the company “will continue to take additional steps to protect patient data,” he said.

To contact the reporter on this story: Daniel R. Stoller in Washington at dstoller@bloomberglaw.com

To contact the editor responsible for this story: Donald Aplin at daplin@bloomberglaw.com

Copyright © 2018 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Bloomberg Law: Privacy & Data Security