$3.5M Payment Aside, First OCR Settlement of 2018 Looks Much Like Those of Years Past

The first half of 2012 wasn’t a particularly stellar time for the security of protected health information (PHI) at five locations of Fresenius Medical Care North America, a provider of services for patients with kidney failure and other chronic diseases. From February to July of that year, the firm suffered five separate thefts and losses of computers and other equipment holding PHI, which it dutifully included in its annual breach report submitted to the HHS Office for Civil Rights (OCR) in January 2013.

And although the losses cumulatively affected fewer than 600 patients and the firm says there’s no evidence any harm resulted from them, Fresenius has paid dearly to OCR for the missteps—$3.5 million, to be exact.

On Feb. 1, Fresenius became the first HIPAA covered entity (CE) of 2018 to agree to a settlement with OCR to resolve allegations of privacy and security rule violations. In addition to the $3.5 million payment, the Waltham, Massachusetts-based firm will follow a two-year corrective action plan (CAP) that obligates it to complete an “encryption” report, among other requirements.

OCR’s most recent settlement prior to this was with 21st Century Oncology, which paid $2.3 million following the exposure of PHI for 2.2 million patients. Announced December 28, that agreement helped OCR end 2017 with $19.4 million collected from 10 organizations (RPP 1/18, p. 1).

In the past, OCR’s settlements rarely exceeded $1 million and more typically ran $500,000 or less. But in recent years, multimillion-dollar settlements have become commonplace; six of last year’s were more than a million, so the new $3.5 million settlement doesn’t stand out in this regard. It also is another example of the agency pursing enforcement action against a CE for multiple small breaches, as former Director Jocelyn Samuels had promised OCR would do (RPP 9/16, p. 1).

What is most notable, perhaps, is that it took OCR five years to bring its investigation of Fresenius to a close and reach a settlement, and in many ways, both the precipitating events and OCR’s findings are a throwback to breaches and settlements of the past. The breaches at issue here don’t involve new or high-tech events, such as hacking or ransomware attacks.

This document is only available to subscribers. Please log in or purchase access.


Would you like to read this entire article?

If you already subscribe to this publication, just log in. If not, let us send you an email with a link that will allow you to read the entire article for free. Just complete the following form.

* required field