According to a news release issued by the Department of Health and Human Services (HHS), HHS entered into a settlement agreement with Affinity Health Plan, Inc. to settle claims related to violations of the Health Information Portability and Accountability Act of 1996 (HIPAA).  Upon learning that the protected health information of possibly over 300,000 individuals was accessible on leased copiers returned by Affinity to the leasing company, Affinity reported the HIPAA violations to HHS as required by HIPAA’s breach notification rules.  Among other corrective actions, HHS reports that Affinity agreed to pay a fine of $1,215,780.

This settlement is important for two reasons.  First, it underscores that protected health information (PHI) may be found in places that plan administrators and others subject to HIPAA may not immediately consider.  It is important to do a thorough analysis of areas where protected health information, and particularly electronic protected health information, may be held.

It also a reminder of the importance of keeping up to date on HIPAA matters.  The Health Information Technology for Economic and Clinical Health Act (HITECH) added breach notification and additional privacy requirements to the HIPAA Rules.  HHS has issued final regulations which are generally effective September 23, 2013.   The new rules require updates to HIPAA policies and procedures, notice of privacy practices, plan documents and other HIPAA documents.  Updated training for employees with access to PHI may also be required.