A Crisis Easily Avoided
All seven HIPAA violations across five entities of Fresenius Medical Care North America (FMCNA) could have been avoided if FMCNA had used The HIPAA E-Tool®. Each of the five breaches was considered small in the numbers of patients affected, but the collective impact resulted in a $3.5 million Resolution payment, 5 years’ OCR investigation and a 2-year Corrective Action Plan (with close OCR supervision), primarily because no system-wide Risk Analysis-Risk Management Plan was in place.
As OCR Director Roger Severino said, “The number of breaches, involving a variety of locations and vulnerabilities, highlights why there is no substitute for an enterprise-wide risk analysis for a covered entity.” (italics added) From HHS
This is just the latest reminder that a Risk Analysis-Risk Management plan is at the heart of HIPAA, and policies alone are not enough without follow through. See our prior blog on OCR audit failures here.
Background
On January 21, 2013, FMCNA submitted five breach reports to HHS regarding breaches of its unsecured electronic protected health information (“ePHI”). Each breach report pertained to a separate and distinct incident involving loss or theft of ePHI of the FMCNA Covered Entities.
FMCNA provides centralized corporate support to the FMCNA Covered Entities involved in the breaches, including centrally storing its patients’ medical records, creating and disseminating HIPAA policies and procedures, and investigating the circumstances of each breach reported to it by the FMCNA Covered Entities.
The Violations and the Preventive Solutions
The seven violations and corresponding solutions from The HIPAA E-Tool® are cited below.
On July 15, 2013, OCR initiated a compliance review to investigate the five breach reports. OCR’s investigation indicated that the following conduct occurred (“Covered Conduct”):
Violation 1: The FMCNA Covered Entities failed to conduct an accurate and thorough risk analysis of potential risks and vulnerabilities to the confidentiality, integrity, and availability of all of its ePHI. See 45 C.F.R. §164.308(a)(1)(ii)(A).
The HIPAA E-Tool® Solutions:
SR-1 Security Management Process
SR-2 Risk Management
RA-1 HIPAA Risk Analysis-Risk Management Policy and Procedures
Section 3 HIPAA Risk Analysis-Risk Management
Violation 2: The FMCNA Covered Entities impermissibly disclosed the ePHI of its patients by providing unauthorized access for a purpose not permitted by the Privacy Rule. See 45 C.F.R. § 164.502(a).
The HIPAA E-Tool® Solutions:
PR-8 Uses and Disclosures of Protected Health Information – General Rules
SR-1 Security Management Process
SR-2 Risk Management
RA-1 HIPAA Risk Analysis-Risk Management Policy and Procedures
BN-1 Breach of Unsecured PHI
Section 5 Introduction to the HIPAA Security Rule
Section 3 HIPAA Risk Analysis-Risk Management
Violation 3: FMC Duval and FMC Blue Island failed to implement policies and procedures to safeguard its facilities and the equipment therein from unauthorized access, tampering, and theft. See 45 C.F.R. §164.310(a)(2)(ii).
The HIPAA E-Tool® Solutions:
SR-27 Facility Access Controls
Section 3 HIPAA Risk Analysis-Risk Management
RA-2.A Security Rule Checklist
# 30 Do you have and implement a Facility Security Plan with Policies and Procedures to safeguard the Facility and equipment from unauthorized physical access, tampering and theft?
RA-5.B Risk Management Actions – Risks Identified by Security Rule Checklist
RA-6.D Risk Management – Security Rule Checklist Completion
Violation 4: FMC Magnolia Grove failed to implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain ePHI into and out of a facility, and the movement of these items within the facility. See 45 C.F.R. § 164.310(d)(1).
The HIPAA E-Tool® Solutions:
Section 3 HIPAA Risk Analysis-Risk Management
RA-2.A Security Rule Checklist
# 35 Do you implement Policies and Procedures regarding the receipt and removal of hardware and Electronic Media that contain EPHI into and out of the Facility and movement of these items within the Facility?
RA-5.B Risk Management Actions – Risks Identified by Security Rule Checklist
RA-6.D Risk Management – Security Rule Checklist Completion
Violation 5: FMC Magnolia Grove and FVC Augusta failed to implement a mechanism to encrypt and decrypt ePHI. See 45 C.F.R. §164.312(a)(2)(iv).
The HIPAA E-Tool® Solutions:
SR-31 Access Control
Section 3 HIPAA Risk Analysis-Risk Management
RA-2.A Security Rule Checklist
# 44 Do you implement Encryption and Decryption Procedures to Encrypt and Decrypt EPHI?
RA-5.B Risk Management Actions – Risks Identified by Security Rule Checklist
RA-6.D Risk Management – Security Rule Checklist Completion
Violation 6: FMC Ak-Chin failed to implement policies and procedures to address security incidents. See 45 C.F.R. § 164.308(6)(i).
The HIPAA E-Tool® Solutions:
SR-18 Security Incident Policy and Procedures
SR-19 Security Incident Response and Reporting
SR-19.A Security Incident Report
Section 3 HIPAA Risk Analysis-Risk Management
RA-2.A Security Rule Checklist
# 19 Do you have Policies and Procedures to address Security Incidents?
# 20 Do you have Procedures to identify and respond to suspected or known Security Incidents, mitigate to the extent possible the harmful effects of Security Incidents that are known and document Security Incidents and their outcomes?
RA-5.B Risk Management Actions – Risks Identified by Security Rule Checklist
RA-6.D Risk Management – Security Rule Checklist Completion
Violation 7: FVC Augusta failed to implement policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can access ePHI. See 45 C.F.R. § 164.310(b).
The HIPAA E-Tool® Solutions:
SR-28 Workstation Use
Section 3 HIPAA Risk Analysis-Risk Management
RA-2.A Security Rule Checklist
# 33 Do you implement Policies and Procedures that specify the proper functions to be performed, the manner in which those functions are to be performed and the physical attributes of the surroundings of a specific Workstation or class of Workstation that can access EPHI?
RA-5.B Risk Management Actions – Risks Identified by Security Rule Checklist
RA-6.D Risk Management – Security Rule Checklist Completion
The resolution agreement and corrective action plan may be found on the OCR website here.
The HIPAA E-Tool® is affordable, accessible and thorough – the most legally rigorous and complete HIPAA compliance solution available, and is designed to be used by business professionals without prior HIPAA knowledge. There is no need to gamble when you have the tools to comply. If you have questions, call us 1-800-570-5879 or email to info@hipaaetool.com.