FMCNA to Pay $3.5 Million for Non-Compliance with HIPAA’s Risk Analysis and Risk Management Rules

Fresenius Medical Care North America (FMCNA) has agreed to pay $3.5 million to the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR), and to adopt a comprehensive corrective action plan, in order to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules. FMCNA is a provider of products and services for people with chronic kidney failure with over 60,000 employees that serves over 170,000 patients. FMCNA’s network is comprised of dialysis facilities, outpatient cardiac and vascular labs, and urgent care centers, as well as hospitalist and post-acute providers.

Read the full article on HHS’ website and pay careful attention to the 6 specific issues the OCR’s investigation identified as a basis for the fine:

  1. Failed to conduct an adequate risk analysis.
  2. Provided unauthorized access for a purpose not permitted by the Privacy Rule.
  3. Failed to implement policies and procedures to address security incidents.
  4. Failed to implement policies and procedures for devices containing ePHI inside and outside of the facility.
  5. Failed to implement policies and procedures to safeguard their facilities and equipment therein from unauthorized access, tampering, and theft.
  6. Failed to encrypt ePHI in appropriate circumstances.


Shawn Tuma (@shawnetuma) is an attorney with an internationally recognized reputation in cybersecurity, computer fraud, and data privacy law. He is a Cybersecurity & Data Privacy Attorney at Scheef & Stone, LLP, a full-service commercial law firm in Texas that represents businesses of all sizes throughout the United States and, through its Mackrell International network, around the world.

This site uses Akismet to reduce spam. Learn how your comment data is processed.