Fresenius Medical Care North America (FMCNA) serves over 170,000 patients and is considered a covered entity. This means they are required to abide by HIPAA standards. But on February 1, 2018, FMCNA was hit with a $3.5 million penalty for violations that had occurred 6 years prior.

In February and July of 2012, 5 computers, 2 laptops, and a USB drive were stolen on five separate occasions. These items contained the PHI of around 500 people total. But the cost of non-compliance for FMCNA is much more than a $3.5 million fine.

There’s also the price of implementing a corrective action plan with haste, and any legal fines that may ensue from the leaked patient information. Not to mention the cost of having your company name associated with a low level of security. Incidents like these can seriously corrode public confidence in an organization. When contemplating non-compliance, it’s important to consider operational impacts like these as well.

How could this have been prevented?

By just conducting a detailed risk assessment and restricting access to private information, many of these incidents could have been averted. But this organization also failed to implement 5 HIPAA policies:

  1. Requiring proper documentation for the movement of items in and out of facilities.
  2. Prevention of tampering or theft.
  3. Restricting who has access to PHI at their workstation.
  4. The encryption and decryption of personal information.
  5. Properly addressing security incidents.

Sometimes not addressing your risks can be the biggest risk of all. When monetary penalties are calculated, it’s not just the effects of the breach taken into consideration, it’s also about how quickly response steps were taken, as well as the level of compliance efforts.

In the case of FMCNA, the breaches were filed at least 6 months after they actually occurred causing them to incur more of a fine.

What corrective action plan is in order?

So now with a hefty fine on their shoulders, what corrective action plan is in order?

This organization will be required to:

  1. Conduct a detailed risk assessment
  2. Implement risk management
  3. Regularly evaluate for operational changes
  4. Develop a process for an encryption report
  5. Revise policies on media control, as well as facility access control
  6. Develop an enhanced and regular training program

Roger Severino, the Director of OCR once stated, “[t]here is no substitute for an enterprise-wide risk analysis for a covered entity.” And that’s true. Conducting a detailed and regular risk analysis is the most effective way to identify the strengths, weaknesses, opportunities, and vulnerabilities of your organization. But conducting such an assessment is not the easiest task to complete alone.

Let us help by simplifying this process! Contact us directly at 877-369-1831 or visit for more information.