Why OCR is making a statement with the Fresenius settlement
The HHS Office for Civil Rights announced a $3.5 million settlement with Fresenius Medical Care Holdings and five of its subsidiaries after the report and investigation of five separate breach notifications.
It’s important to note that these were individually very small incidents. The five breaches in total impacted 521 individuals, with no single breach crossing the 500-individual threshold that would require the company to send immediate notifications to those whose information was compromised. In fact, the breaches were reported at the same time, near the annual deadline for reporting breaches impacting fewer than 500 individuals.
Diving into the background of the settlement report, there are not many surprises in terms of how data was accessed. From the five entities, there were five desktop computers taken, two laptops stolen, one USB device taken from a car and one misplaced desktop hard drive. All of the computers and devices contained unsecured electronic protected health information, which translated means that none of the devices were encrypted. Taken together, the breaches are run of the mill breaches that are similar to ones reported on a daily basis.
There is an interesting component to the announced resolution. Fresenius reported the five breaches on Jan. 21, 2013, so the report was submitted more than five years ago. Probably as a result of the cluster of breaches by a group of commonly controlled entities, OCR conducted a compliance review. That review was initiated on July 15, 2013, about four and a half years ago.
OCR’s review, summarized in the resolution agreement, found fairly typical forms of non-compliance. Specifically, risk analyses were insufficient, facilities were not adequately secured against unauthorized access, encryption was not utilized, and tracking of removed hardware did not occur, among a few other findings. As suggested, none of these findings were unusual.
Why, then, was Fresenius fined $3.5 million, if the overview of the circumstances outlined above does not show any bad action that distinguishes these from previous breaches and settlements? To answer that question, it is important to remember the OCR Director Rover Severino’s headline-making quote from the fall.
He was quoted at a conference as saying, ”At most, I will say the big, juicy case is going to be my priority and the methods for us finding it – stay tuned.” That statement was coupled with a passing nod to including an educational component in any such big fine.
OCR Director Severino’s quote certainly makes the nature of the Fresenius fine a little more understandable. Trying to make a splash would seem to be the only justification for suddenly imposing a $3.5 million fine on five breaches of a relatively small nature that were reported and investigated over four years.
I’m not trying to dismiss the serious consequences and impact that all breaches, no matter how big or small, have on the individuals impacted. However, the size of the punishment does not seem to fit the actions that occurred. As already indicated, many other similar scenarios are reported on a daily basis, and no multi-million dollar fines are imposed. Instead, this feels like an instance of pursuing a large entity with deep pockets and a well-known name. On the whole, the settlement does not fit in line with OCR’s recent history of settlements.
With all of that being said, should entities with an ability to cover a large fee be more fearful about the fallout from any breach report? At best, the answer is it remains to be seen. The Fresenius settlement should certainly be taken as a warning, though, and a lesson that HIPAA-related settlements may not focus more on the money than actually conveying a lesson about HIPAA compliance.