Provider to pay $3.5M for leaving the door unlocked on ePHI

Fresenius Medical Care North America (FMCNA) agreed to adopt a corrective action plan (CAP) and pay $3.5 million to settle allegations with the HHS Office of Civil Rights (OCR) of potential violations of HIPAA’s Privacy and Security Rules.


In 2013, FMCNA filed five breach reports regarding electronic protected health information (ePHI) from five FMCNA covered entities. A resulting OCR investigation revealed that FMCNA failed to conduct an accurate and thorough risk analysis of ePHI vulnerabilities. The impermissible disclosures stemmed from the fact that FMCNA provided unauthorized access to individual’s ePHI for purposes not permitted under HIPAA.
Among the specific breaches were failures to implement policies and procedures:

  • To address security incidents;
  • To govern the receipt and removal of hardware and electronic media that contain ePHI;
  • To safeguard facilities and equipment therein from unauthorized access, tampering, and theft, when it was reasonable and appropriate to do so under the circumstances; and
  • To encrypt and decrypt ePHI, when it was reasonable and appropriate to do so under the circumstances.


The CAP requires FMCNA to conduct a risk analysis, develop a risk management plan, revise device management and control policies, develop an encryption report, and educate FMCNA workforce on the new policies and procedures.

Visit our News Library to read more news stories.