Failure to Have HIPAA Controls in Place Cost Fresenius Medical Care North America (FMCNA) $3.5 Million

On February 1, 2018, the Department of Health and Human Services, Office for Civil Rights (“OCR”) issued a press release announcing the recent $3.5 million penalty imposed, in the form of a monetary settlement, on Fresenius Medical Care North America (FMCNA) for HIPAA violations that occurred in 2012. This $3.5 million settlement is the first significant enforcement action of the year, and one of largest for HIPAA violations.

FMCNA is a covered entity, as defined in 45 C.F.R. § 160.103, and is required to comply with the Health Insurance Portability and Accountability Act of 1996 (HIPAA). FMCNA provides products and services to over 170,000 patients with chronic kidney failure. It has multiple related entities, approximately 60,000 employees, and a network comprised of dialysis facilities, outpatient cardiac and vascular labs, urgent care centers, hospital providers, and post-acute providers.

FMCNA reported to the OCR HIPAA security breaches that occurred on the premises of, or by employees of, five related entities: Bio-Medical Applications of Florida, Inc. d/b/a Fresenius Medical Care Duval Facility (“FMC Duval”); Bio-Medical Applications of Alabama, Inc. d/b/a Fresenius Medical Care Magnolia Grove (“FMC Magnolia Grove”); Renal Dimensions, LLC d/b/a Fresenius Medical Care Ak-Chin (“FMC Ak-Chin”); Fresenius Vascular Care Augusta, LLC (“FVC Augusta”); and WSKC Dialysis Services, Inc. d/b/a Fresenius Medical Care Blue Island Dialysis (“FMC Blue Island”).

FMCNA stored patients’ medical records centrally, it created and disseminated HIPAA policies and procedures, and was responsible for investigating each incident reported. These breaches were resolved by FMCNA entering into a resolution agreement with OCR.  Although the electronic protected health information (ePHI) at issue was not under the direct control of FMCNA, OCR made FMCNA the “Covered Entity” party to the resolution agreement, because FMCNA provided centralized corporate support to the FMCNA entities that were directly responsible for safeguarding the protected data. FMCNA executed the resolution agreement on behalf of the five related entities. Pursuant to the terms of the resolution agreement, FMCNA paid HHS $3.5 million. In addition, FMCNA agreed to implement a corrective action plan (CAP), the terms of which are summarized below. This article highlights what OCR thought necessary to include in the CAP, because OCR’s CAP terms provide important compliance guidance. As you will see, the requirements of the CAP are notable lessons learned.

HIPAA Incidents Detail

FMCNA reported to OCR the following incidents:

  1. FMC Duval breach: On February 23, 2012, two desktop computers were stolen from FMC Duval. The incident involved the ePHI of 200 individuals.
  2. FMC Magnolia Grove breach: On April 3, 2012, an unencrypted USB drive was stolen from a workforce member’s car while it was parked in the lot at FMC Magnolia Grove. The USB drive contained the ePHI of 245 individuals.
  3. FVC Augusta breach: On June 16, 2012, a workforce member’s unencrypted laptop was stolen from her car while parked overnight at her home, where it was stored in a bag with a list of her passwords. The laptop contained the ePHI of 10 individuals.
  4. FMC Blue Island breach: On or around June 17-18, 2012, three desktop computers and one encrypted laptop were stolen from the Blue Island Facility location. One of the desktop computers contained the ePHI of 31 individuals.
  5. FMC Ak-Chin breach: On June 18, 2012, the FMCNA compliance line received an anonymous report that a hard drive from a desktop computer that was no longer in use was missing from FMC Ak-Chin on April 6, 2012. The hard drive contained the ePHI of 35 individuals. Although the workforce member whose hard drive was missing immediately notified the area manager, the area manager did not report the incident to the FMCNA Corporate Risk Management Department, who most likely would have been responsible for the investigation and implementation of other breach protocols.

Summary of HHS Findings

On July 15, 2013, OCR conducted a compliance review related to the five security incidents reported by FMCNA and found the following:

a) FMCNA failed to conduct an accurate and thorough risk analysis of potential risks and vulnerabilities to the confidentiality, integrity, and availability of all of its ePHI in accordance with 45 C.F.R. §164.308(a)(1)(ii)(A).

b) FMCNA impermissibly disclosed the ePHI of its patients by providing unauthorized access for a purpose not permitted by HIPAA Privacy Rule 45 C.F.R. § 164.502(a).

c) The FMCNA entities failed to implement certain policies and procedures to ensure compliance with five separate HIPAA requirements, specifically:

1. HIPAA physical safeguard rule related to facility security plan was violated when FMC Duval and FMC Blue Island failed to implement po1licies and procedures to safeguard its facilities and the equipment therein from unauthorized access, tampering, and theft in accordance with 45 C.F.R. §164.310(a)(2)(ii).

2. HIPAA physical safeguard rule related to device and media controls was violated when FMC Magnolia Grove failed to implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain ePHI into and out of a facility, and the movement of these items within the facility in accordance with 45 C.F.R. § 164.310(d)(1).

3. HIPAA physical safeguard rule related to workstation use was violated when FVC Augusta failed to implement policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can access ePHI in accordance with 45 C.F.R. § 164.310(b).

4. HIPAA technical safeguards rule related to encryption and decryption was violated when FMC Magnolia Grove and FVC Augusta failed to implement a mechanism to encrypt and decrypt ePHI in accordance with 45 C.F.R. §164.312(a)(2)(iv).

5. HIPAA administrative safeguards rule related to security incident procedures was violated when FMC Ak-Chin failed to implement policies and procedures to address security incidents in accordance with 45 C.F.R. § 164.308(a) (6)(i).

Summary of Corrective Action Plan

In addition, FMCNA was required to implement a corrective action plan that mandated, among other things, that FMCNA and its related entities do the following:

1.  Conduct a Risk Analysis

a. Conduct a risk analysis that includes an accurate and thorough assessment of the potential security risks and vulnerabilities to the confidentiality, integrity, and availability of FMCNA-related entities’ electronic protected health information (“ePHI”).

b. Within fourteen (14) days, submit to HHS the scope and methodology by which they propose to conduct the risk analysis, and within one hundred and eighty (180) days of HHS’s approval of the scope and methodology, submit the risk analysis.

2.  Develop and Implement a Risk Management Plan

a. Develop a written risk management plan or plans sufficient to address and mitigate any security risks and vulnerabilities identified in the risk analysis. The plan(s) must include a process and timeline for implementation, evaluation, and revision of their risk remediation activities.

b. Within ninety (90) days of HHS’s final approval of the risk analysis, submit their risk management plan to HHS for review, and within sixty (60) days of HHS’s approval, begin the implementation of the risk management plan and distribute the plan to workforce members involved with the implementation.

3.  Implement a Process for Evaluating Environmental and Operational Changes

a. Develop an evaluation process, that includes a written process(es) to regularly evaluate any environmental or operational changes that affect the security of ePHI in the FMCNA-related entities possession or control.

b. Within ninety (90) days of HHS’s final approval of the risk analysis, submit the evaluation process to HHS for review, and within sixty (60) days of HHS’s approval, implement the evaluation process and distribute copies of it to workforce members of the FMCNA covered entities involved with performing such evaluations.

4.  Develop Encryption Report. Within one hundred and eighty (180) days of HHS’s final approval of the risk management plan, develop and submit to HHS a written encryption report or reports on the status of the implementation of encryption.

5.  Review and Revise Policies and Procedures on Device and Media Controls

a. Review, and to the extent necessary, revise their device and media controls policies and procedures related to the receipt, removal and movement of electronic media.

b. Within ninety (90) days of HHS’ final approval of the risk analysis, submit the device and media controls policies and procedures and to HHS for review, and within thirty (30) days of approval, finalize and officially adopt those policies and procedures, and provide evidence of implementation of such policies and procedures to HHS.

6.  Review and Revise Policies and Procedures on Facility Access Controls

a. Review, and to the extent necessary, revise their physical access policies and procedures to limit physical access to all of their electronic information systems and the facilities in which they are housed, while ensuring that properly authorized access is allowed.

b. Develop a facility physical security plan that defines and documents the physical security controls to safeguard the facility or facilities and the equipment therein from unauthorized physical access, tampering, and theft.

c. Within ninety (90) days of HHS’s final approval of the risk analysis, submit the facility physical security plan to HHS for review, and within thirty (30) days of approval, finalize and officially adopt the physical access policies and procedures, and provide evidence of implementation of such to HHS.

7.  Develop an Enhanced Privacy and Security Awareness Training Program

a. Augment the existing mandatory health information privacy and security awareness training program. The training program shall include (1) general instruction on workforce members’ obligation to comply with policies and procedures related to the HIPAA rules, (2) the new or revised evaluation process (3) any new or revised device and media controls policies and procedures and physical access policies and procedures, (4) a process to ensure that each individual who is required to attend training certifies that they have received the training, and (5) a process for reviewing and revising training annually.

b. Within ninety (90) days of HHS’s final approval of the risk management plan, submit the proposed training materials to HHS for review, and within sixty (60) days of HHS’s approval of the FMCNA covered entities’ training materials, provide training, and train workforce members who join or return to the workforce after the initial training within forty-five (45) days of the commencement of their employment, or affiliation, or return, to the workforce.

Insight and Lessons Learned

When reviewing enforcement actions, it is important to ask what went wrong and what lessons can be learned.

The Existence of an Effective Compliance Program May Reduce Regulatory Fines

The biggest lesson learned is that a failure to establish risk controls, and to have an appropriate breach response plan could result in sobering fines. It is evident from the FMCNA settlement that more than the size of the violation is considered when calculating monetary penalties for HIPAA breaches. FMCNA paid an unusually high price ($3.5 million), although a relatively small number of individuals were potentially affected by the breaches. This number may seem shocking to some, but familiar to those who know what regulators factor into determining fines. Generally when imposing fines, regulators weigh the level of compliance efforts[1], the speed with which mitigation and breach response steps are taken, as well as the level of cooperation in investigations[2].

OCR determined that FMCNA failed to conduct risk analysis and failed to implement policies and procedures to ensure compliance with HIPAA. In one instance, when a manager was promptly notified of a breach, the manager failed to take appropriate breach response actions. OCR most likely took these things into consideration.

Here is the lesson: The greater your compliance and mitigation efforts the better your chances are of getting penalties at the bottom of the range of possible monetary sanctions that could be imposed for specific violation.

Calculate the Cost of Non-Compliance Before Deciding Not to Allocate Adequate Resources to Your HIPAA Compliance Program

When I am asked how much it will cost to put a HIPAA program in place, I share information on calculating the cost of implementing a new program, or improving an existing one.[3] I also point out that it is equally important to ask how much it will cost not to implement, train on and enforce policies to ensure compliance with HIPAA. In other words, what is the cost of non-compliance?

In this case, the cost of non-compliance includes a $3.5 million the settlement. But the cost is so much more. FMCNA’s impact assessment should also include the cost associated with the implementation of the CAP. Implementation costs include, among other things, developing new training, developing or revising policies and procedures, loss of productivity associated with employees being pulled away from normal duties to participate in training, the CAP implementation and the CAP oversight, senior team members responding to ongoing regulator inquires, and key employees’ time spent drafting and reviewing reports for submission to the OCR. In addition, legal fees are often sizeable, and therefore should be a line item in any financial impact assessment.

And while I cannot say what other costs FMCNA might have incurred (or will occur), often the impact includes both soft and hard costs. As a result of the CAP, there may be added costs associated with the hiring of consultants. Frequently, consultants are retained as subject matter experts, or to respond to an increased number of compliance or operation tasks, which is an added expense. As mentioned in my article “If Compliance Concerns Are Keeping Your CFO and Legal Team Up at Night – You Should Be Awake Too!“, legal and regulatory issues can erode public confidence in the brand. They can negatively affect stock value, and can place companies at a disadvantage in financial transactions. For example, pending and recent legal actions may have to be disclosed during due diligence associated with mergers and acquisitions, and raising capital. Disclosed regulatory or legal problems could lead investors to walk away from a deal or to renegotiate the purchase price.[4]

If a health plan is involved with government healthcare programs such as Medicaid and Medicare, the regulators may request that the health plan list “any and all” regulatory violations in its application process for new products, new markets and contract renewals. Serious or numerous violations could be a competitive disadvantage in states that have a bidding process, such as for Medicaid contracts; violations and poor compliance performance in the past will negatively impact on the scoring of a plan’s response to a request for proposal. In the absence of a competitive bid, regulatory violation could still be a basis for a government agency denying or refusing to extend contracts.

The second lesson: Be sure to consider the cost of non-compliance, and include potential monetary fines, operational impact, reputational harm, and the potential losses connected with having to disclose legal and regulatory issues in financial and other business transactions, proposals and applications.

Lessons Gleaned From the Corrective Action Plan

As mentioned above, the CAP is regulatory guidance, in that it gives insight into what the regulators have identified as core components of a HIPAA program, and what triggers enforcement action. The specific terms of the CAP support that, in order to avoid violating these specific HIPAA rules, the HIPAA covered entities should (1) conduct an accurate and thorough assessment of the potential security risks and vulnerabilities, (2) develop a written risk management plan or plans to address and mitigate any security risks and vulnerabilities identified, (3) develop a written process(es) to regularly evaluate any environmental or operational changes that affect the security of ePHI, (4) regularly review and revise policies and procedures to ensure compliance with HIPAA, and (5) review training programs to ensure that they include high risk areas specific to their operations. All of the above should, therefore, be added to the list of lessons learned.

Conclusion

My conclusion is simple. Not assessing and addressing your risks could be your biggest risk of all.

[1] OCR considered Lincare’s assertion that the CMP should be mitigated because no similar incidents of impermissible disclosures of PHI at any other Lincare operating center had been reported. Taking that into consideration, the OCR imposed the minimum penalty amount of $1,000 per day for the violations. See “Latest HIPAA Enforcement: OCR Imposed $239,800 in CMP Upon Lincare.”

[2] OCR fined Cignet Health of Prince Georges County $4.3 million for a HIPAA violation. Forty-one patients requested medical records; Cignet denied them access to those records. OCR determined that Cignet did not cooperate with the OCR investigation. The fine included $1.3 million for breaches, and an additional $3 million for its failure to cooperate. Providence Home and Community Services/Providence Hospice and Home Care, by contrast, was fined $100,000 for a breach involving 386,000 patients. The regulators specifically stated that it was only fined $100,000 because of its level of cooperation in the investigation.

[3] See “The Cost of HIPAA Compliance: It Depends

[4] Yahoo announced two breaches. The Verizon CEO advised the Yahoo director that a price reduction of $925 million was in order. The buying price was subsequently reduced by $350 million dollars.