Covered entities should examine their procedures to evaluate and safeguard protected health information (“PHI”) that may be stored on leased photocopiers and other office equipment. Under a settlement with the U.S. Department of Health and Human Services (“HHS”), Affinity Health Plan, Inc. (“Affinity”), a not-for-profit managed care plan serving the greater New York City area, will pay more than $1.2 million in penalties for its violations of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Privacy and Security Rules relating to its failure to properly safeguard PHI stored on its photocopier hard drives.

Affinity filed a breach report with the HHS Office for Civil Rights (“OCR”) in 2010, as required by the Health Information Technology for Economic and Clinical Health (“HITECH”) Act, after Affinity was alerted to a potential breach. OCR then commenced an investigation of the breach, concluding that Affinity impermissibly disclosed the PHI of up to 344,579 individuals when it returned multiple photocopiers to leasing agents without erasing the PHI which was stored on the photocopier hard drives. The investigation also revealed that Affinity did not incorporate photocopier hard drives in its analysis of risks and vulnerabilities as required by the Security Rule, and failed to implement its policies and procedures when it returned the photocopiers to its leasing agents.

In addition to the more than $1.2 million penalty, the settlement mandates a corrective action plan requiring Affinity to use its best efforts to retrieve all of the affected photocopier hard drives, and to perform a comprehensive risk analysis of security risks and vulnerabilities of all of its electronic systems and equipment. Affinity is required to develop an OCR-approved plan to address and mitigate its security risks and vulnerabilities, including staff training on any revised policies and procedures.

This breach illustrates the need for covered entities and their business associates to develop and implement processes that identify every system or device which contain electronic PHI, and require staff to wipe clean PHI from those systems and devices before they are recycled or discarded.