On Wednesday, August 14, 2013, the U.S. Department of Health and Human Services (HHS), announced that it had reached a $1,215,780 settlement with Affinity Health Plan, Inc., a not-for-profit managed care plan serving the New York metropolitan area, relating to potential HIPAA violations stemming from a breach of PHI stored on photocopier hard drives.

Affinity was required to report the 2010 breach to HHS under the HITECH Breach Notification Rule after it was informed by a representative of CBS Evening News that CBS had purchased a photocopier previously leased by Affinity, and the copier that Affinity had used contained confidential medical information on the hard drive. Subsequent investigation revealed that as many as 344,579 individuals may have been affected by this breach.

OCR’s (identify OCR) investigation indicated that the breach occurred when Affinity returned multiple photocopiers to its leasing agents without erasing the data contained on the copier hard drives, failed to account for ePHI stored on photocopier hard drives in its analysis of risks and vulnerabilities as required by the Security Rule, and failed to implement its policies and procedures when returning the photocopiers to its leasing agents. In addition to the $1,215,780 payment, Affinity was required to enter into a corrective action plan which requires it to attempt to retrieve all hard drives that were contained on photocopiers previously leased by the plan that remain in the possession of the leasing agent, and to take certain additional measures to safeguard all ePHI.

The Federal Trade Commission and the National Institute of Standards and Technology have issued guidance for proper safeguarding of photocopier hard drives. Copies of this guidance are available here and here.

More information regarding this Breach and settlement can be found at: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/affinity-agreement.html.

With the September 23, 2013 compliance date for the HIPAA Omnibus Final Rule fast approaching, all HIPAA covered entities and business associates should take steps to ensure they have conducted a thorough security risk assessment, properly trained all workforce members who handle PHI, updated their business associate agreements and breach notification policies, implemented all HIPAA policies and procedures, and taken all other steps necessary to come into full compliance.