Fresenius Medical Care North America (FMCNA) has agreed to pay $3.5 million to settle potential HIPAA violations relating to the impermissible disclosure of electronic protected health information (ePHI), marking the first HIPAA settlement of 2018. The U.S. Department of Health and Human Services (HHS) announced the settlement on February 1.

HHS's Office for Civil Rights (OCR) initiated its investigation of FMCNA, a provider of products and services for people with chronic kidney failure, after FMCNA submitted five separate breach reports in January 2013 for separate incidents in 2012. OCR's investigation revealed that the FMCNA covered entities failed to conduct an adequate risk analysis of potential risks and vulnerabilities to the confidentiality, integrity, and availability of their ePHI. The allegations against FMCNA also included failure to implement policies and procedures to safeguard facilities and equipment from unauthorized access, failure to encrypt and decrypt ePHI, and failure to adequately address security incidents.

As part of the settlement, FMCNA has entered into a corrective action plan that requires it to complete a risk analysis and risk management plan, revise its policies and procedures, develop an encryption report, and educate its workforce.

For more articles and regular updates on legislative changes, regulatory developments and other news of interest to businesses, professionals and investors in the healthcare industry, please subscribe to Day Pitney's mailing lists.

Click here for more Healthcare Blogs from Day Pitney

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.