One challenge to keeping health information private as required under HIPAA is in knowing all of the places where it is stored in paper form or electronically. HHS just announced a resolution agreement with Affinity Health Plan (a not-for-profit managed care plan serving the New York metropolitan area) after it was discovered that Affinity did not scrub the internal hard drives of its leased photocopiers when they were returned to the leasing agent. The copier hard drives contained the confidential medical information of over 300,000 individuals and Affinity reported the breach to HHS as required under HIPAA.

The resolution agreement with HHS requires Affinity to pay a penalty of $1,215,780 and implement a corrective action plan under which Affinity will conduct a comprehensive risk analysis to determine what security risks and vulnerabilities are associated with all of its electronic equipment or systems.