The US Department of Health and Human Services (HHS) announced it reached a $1,215,780 settlement with Affinity Health Plan, a not-for-profit managed care plan serving the New York metropolitan area, for violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules.
The HHS Office for Civil Rights (OCR) investigated when Affinity filed a required breach report. Affinity had been informed by a representative of CBS Evening News that CBS purchased a copier previously leased by Affinity containing protected health information (PHI) stored on the hard drive.
OCR determined that Affinity:
Impermissibly disclosed the PHI of approximately 345,000 individuals when it returned photocopiers to the leasing agent without erasing the hard drives;
Failed to conduct the proper assessment necessary to identify potential security risks and vulnerabilities of electronic protected health information (ePHI), as required by the Security Rule; and
Did not implement policies and procedures for returning the photocopier hard drives to the leasing agent.
In addition to the financial settlement, Affinity entered into a Corrective Action Plan (CAP) requiring Affinity to use its best efforts to retrieve all hard drives that were contained on the photocopiers it previously leased that remain in the possession of the leasing agent, and to take certain measures to safeguard all ePHI.
According to OCR Director Leon Rodriguez, "This settlement illustrates an important reminder about equipment designed to retain electronic information. Make sure that all personal information is wiped from hardware before it's recycled, thrown away or sent back to a leasing agent." Rodriguez further stated, "HIPAA covered entities are required to undertake a careful risk analysis to understand the threats and vulnerabilities to individuals' data, and have appropriate safeguards in place to protect this information."