On August 14, the Department of Health and Human Services (HHS) announced that it had reached a $1.2 million settlement with Affinity Health Plan, Inc. (Affinity) to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules. Affinity is an independent, not-for-profit managed care company that offers free or low-cost health insurance to residents of the New York metropolitan area.

Affinity had notified the HHS Office for Civil Rights (OCR) in April 2010 that it suffered a breach of unsecured protected health information (PHI) that had been stored on the hard drives of leased photocopiers and not deleted when the copiers were returned to their lessors. CBS Evening News had purchased one of the photocopiers as part of an investigatory report, and notified Affinity that its hard drive contained PHI. Affinity then notified OCR as required by the Breach Notification Rule of the Health Information Technology for Economic and Clinical Health (HITECH) Act.

OCR determined that Affinity had returned multiple photocopiers to their lessors without erasing the data from the copiers’ hard drives. Affinity estimated that up to 344,579 individuals may have been affected by the breaches. OCR’s investigation also uncovered other Security Rule violations, including that Affinity had failed to implement proper policies and procedures when returning the leased photocopiers.

In the HHS press release, OCR Director Leon Rodriguez said, “This settlement illustrates an important reminder about equipment designed to retain electronic information: Make sure that all personal information is wiped from hardware before it’s recycled, thrown away or sent back to a leasing agent.”


In a release on August 22, the Federal Trade Commission announced that it had agreed on the terms of a consent order with Phoebe Putney Health System in Georgia that will allow Phoebe Putney to keep the hospital it acquired for $200 million in 2011. In February, the U.S. Supreme Court had upheld the FTC's decision to block the merger as a violation of federal antitrust laws.

Phoebe Putney Memorial Hospital, owned by the Hospital Authority of Albany-Dougherty County, had agreed to merge with Palmyra Medical Center, the only other acute-care hospital in the county. The Supreme Court agreed with the FTC’s contention that by reducing competition in Albany, the merger could result in higher medical costs for consumers. The ruling overturned a lower court decision that had upheld the proposed merger.

Had the FTC required Phoebe Putney to undo the acquisition, Georgia’s strict Certificate of Need (CON) law would have effectively precluded splitting the license for the now-combined hospitals and restoring the separate license for Palmyra Medical Center. The consent order will prohibit Phoebe Putney from challenging CON applications filed by competitors and require Phoebe Putney to notify the FTC before acquiring any other facilities or physician practices.


On August 15, HHS announced that it has awarded $67 million in grants to 105 “navigator” applicants that will help consumers shop for and purchase health insurance plans in the online health exchanges, or marketplaces, to be established under the Affordable Care Act. The navigators will assist users of the “federally facilitated” state exchanges to be operated entirely by the federal government, and the “State Partnership Marketplaces” to be jointly operated by states with HHS. Exchanges are scheduled to open on October 1 to allow consumers to enroll for coverage to be effective January 1, 2014.

Navigators and all other types of “enrollment assisters” (including agents and brokers) will be required to adhere to strict security and privacy standards and will be required to complete 20-30 hours of training to be certified. The federal government maintains a website with a list of recipients of navigator grants and additional information about navigators and other “in-person assisters.”