Yesterday, OCR announced its $3.5 million settlement with Fresenius Medical Care Holdings (“Fresenius”) to resolve alleged HIPAA violations.  While the large settlement figure alone is eye-catching, the underlying facts require the complete attention of HIPAA covered entities.  OCR is sending a message about HIPAA Security Rule compliance.

Five Fresenius entities in five different states suffered five completely separate but relatively common breaches.  Each breach involved stolen or missing equipment.  No one breach involved records of more than 500 patients.  In fact, combined, the total number of patients impacted was 521.  As a reminder, the $5.5 million settlement this time last year with Memorial Health Care System involved the records of 115,143 individuals.

The five Fresenius breaches involved:

Breach 1:  two stolen desktop computers containing the ePHI of 200 patients.

Breach 2:  a stolen unencrypted USB drive containing the ePHI of 245 patients.

Breach 3:  a missing hard drive containing the ePHI of 35 patients.

Breach 4:  an unencrypted laptop stolen from a car containing the ePHI of 10 patients.

Breach 5:  a stolen desktop computer containing the ePHI of 31 patients.

These breaches occurred between February 2012 and June 2012 and Fresenius timely reported them on January 21, 2013.  Six months later, OCR launched an investigation.  Of the OCR’s seven findings, the most significant is the failure to conduct an accurate and thorough risk analysis under the HIPAA Security Rule.  Five of the remaining six findings also relate to alleged HIPAA Security Rule violations (e.g. the failure to implement policies and procedures or mechanisms to protect ePHI).

Important takeaways:  OCR reads breach reports involving breaches affecting fewer than 500 patients. The HIPAA Security Rule matters.  Do the risk analysis.  Have policies and procedures that comply with the HIPAA Security Rule.  Don’t wait.