The Department of Health and Human Services announced on August 14, 2013, that it entered into a settlement agreement with Affinity Health Plan, Inc. (Affinity) resolving allegations that Affinity violated the Health Insurance Portability and Accountability Act (HIPAA). In 2010, as required by the Health Information Technology for Economic and Clinical Health Act, Affinity reported a data breach involving protected health information (PHI) on leased photocopiers. Affinity had failed to properly erase the hard drives of its leased photocopiers before returning them to the supplier, resulting in the disclosure of the PHI of 344,579 individuals.

In addition to a $1.2 million payment to the federal government, the settlement agreement also required Affinity to enter into a corrective action plan to secure PHI by retrieving the photocopier hard drives it previously used, conduct a risk analysis, and revise its PHI containment policies and procedures as necessary. The settlement agreement, available here, serves as a reminder that not only does HIPAA require confidential treatment of PHI, but also the ongoing analysis of security risks and implementation of policies to secure PHI. To assist businesses in developing such policies, the Federal Trade Commission has issued a guide regarding the secure treatment of information stored on photocopier hard drives, available here.