You might be rejoicing at the thought of returning your old worn down leased photocopier and replacing it with the latest state of the art improvement in photocopier technology. But, little did you know that your old photocopier could inadvertently subject your organization to violations of the Health Insurance Portability and Accountability Act ("HIPAA"), which may result in substantial financial penalties.
A New York insurance company recently settled with the Department of Health and Human Services (“HHS”) over a breach of protected health information (“PHI”) for its alleged failure to wipe PHI from leased photocopier hard drives before returning them to leasing agents. The settlement, entered into by Affinity Health Plan Inc., a nonprofit managed care plan, totaled $1,215,780. Investigative reporters from CBS discovered Affinity's failure to erase PHI from a photocopier's hard drive after they purchased it. Affinity filed a HITECH Act-required breach report with the Office of Civil Rights (“OCR”) after learning of the breach from the reporters. Affinity estimated that its failure to erase the hard drives compromised nearly 350,000 individuals' PHI.
The OCR determined that Affinity (i) “impermissibly disclosed the EPHI [electronic protected health information] of up to 344,579 individuals when it failed to properly erase photocopier hard drives prior to sending the photocopiers to a leasing company,” (ii) “failed to assess and identify the potential security risks and vulnerabilities of EPHI stored in the photocopier hard drives,” and (iii) “failed to implement its policies for the disposal of EPHI with respect to the aforementioned photocopier hard drives.” As part of the settlement, the OCR required Affinity to submit a plan outlining efforts to retrieve all other compromised hard drives from the leasing agents and also assess its risk for further breaches.
This settlement should motivate HIPAA covered entities to reevaluate their practices and procedures for handling stored PHI. Health care entities should adopt comprehensive policies to deal with the return of leased equipment of all kinds, not just photocopiers, which could potentially contain PHI. Scanners, computers, hard drives, USB flash drives, etc. can all contain PHI. These measures could include rewriting business associate agreements to anticipate the circumstances described above by requiring business associates to wipe PHI from all devices before reselling or discarding them and requiring that all data on leased equipment be rendered unreadable before its return.
The Federal Trade Commission recently released guidance with regard to photocopier security available at http://business.ftc.gov/documents/bus43-copier-data-security.
The authors would like to acknowledge Conor McNally for providing assistance with the research and writing of this News Alert.