OCR HIPAA Enforcement - 5 "Small" Breaches Culminate in $3.5M Settlement

Today, OCR announced a $3.5M settlement agreement with Fresenius Medical Care Holdings, Inc. (Fresenius Medical Care North America), the company that owns and provides centralized corporate support to the various covered entity organizations within its health care network. The OCR investigation was launched after the company submitted five different breach notifications, for five different entities, all related to incidents that occurred the previous year (presumably in its annual report of breaches affecting less than 500 individuals). The incidents involved as few as 10 patients and up to 245, but each of them were under 500. In addition to failure to perform a thorough and accurate risk analysis, OCR also cited: disclosure of PHI for a purpose not permitted by the Privacy Rule; failure to implement policies and procedures to safeguard its facilities and equipment from unauthorized access, tampering, and theft; failure to maintain appropriate inventories to track and manage devices and media; failure to encrypt and decrypt ePHI; failure to implement a policies and procedures for managing security incidents; and failure to implement policies and procedures for proper use and security of workstations that access ePHI. 

This settlement makes clear that the annual reporting of smaller breaches does not go without agency scrutiny and minor incidents can result in substantial enforcement measures. Read more here: https://www.hhs.gov/about/news/2018/02/01/five-breaches-add-millions-settlement-costs-entity-failed-heed-hipaa-s-risk-analysis-and-risk.html