On August 14, 2013, the United States Department of Health and Human Resources ("HHS") announced a $1,215,780.00 settlement with Affinity Health Plan, Inc. ("Affinity") as a result of an investigation of potential violations of the HIPAA Privacy and Security Rules.
Affinity was informed by CBS evening news that CBS had purchased a photocopier previously leased by Affinity. CBS told Affinity that the hard drive in the photocopier contained confidential medical information relating to Affinity Health Plan beneficiaries. As a result, on August 15, 2010, Affinity self-reported a breach with the HHS, Office for Civil Rights ("OCR"). Affinity estimated that the medical records of up to 344,579 individuals may have been affected by this improper disclosure. Affinity apparently returned multiple photocopiers to an office equipment vendor without erasing the data contained upon the internal hard drives within the photocopier.
Upon investigation by OCR, it was determined that Affinity had failed to incorporate the photocopier hard drives as part of the definition of electronic protected health information ("ePHI") in its risk assessment process as required by the Security Rule. Affinity had also failed to implement appropriate policies and procedures when returning photocopiers to its office equipment vendor. As a result, Affinity also violated the Privacy Rule based upon the breach.
Leon Rodriguez, Director of OCR stated that, "This settlement illustrates an important reminder about equipment designed to retain electronic information: Make sure that all personal information is wiped from hardware before it is recycled, thrown away or sent back to a leasing agent…HIPAA covered entities are required to undertake a careful risk analysis to understand the threats and vulnerabilities to individuals' data, and have appropriate safeguards in place to protect this information."
In addition to the agreed upon settlement payment of $1,215,780.00, the settlement also requires a Corrective Action Plan ("CAP"). Affinity must use its best efforts to retrieve all hard drives that were contained on photocopiers previously leased by the plan that remain in the possession of the leasing agent, and take protective measures to safeguard all ePHI.
A copy of the press release from OCR can be found here.
Affinity's agreement with HHS and the CAP can be found on the OCR website or by clicking here.
For additional information on safeguarding sensitive data stored on the hard drives of digital copiers, guidance from the Federal Trade Commission click here.
Covered entities and business associates must make sure they have conducted a thorough risk assessment that reviews the manner in which they use, store and disclose protected health information ("PHI"). While the risks of stolen laptops and cell phones were well known, this settlement underscores the fact that the many "smart" electronic devices store PHI in flash memory, internal hard drives, storage cards, and cloud storage devices, requiring covered entities and business associates to stay one step ahead of technology used in their businesses to avoid and inadvertent but costly breach.