Health Plan Agrees To $1.2 Million Settlement For Photocopier HIPAA Security Breach


The Department of Health and Human Services (HHS) announced a settlement on August 14, 2013, with Affinity Health Plan (Affinity), a not-for-profit managed care plan, which included a payment of $1,215,780, for a HIPAA security violation caused by Affinity’s failure to remove Electronic Protected Health Information (EPHI) from the hard drive of a leased photocopier that was returned to the leasing company.

As required by the Health Information Technology for Economic and Clinical Health Act (HITECH), Affinity notified HHS of the breach of unsecured EPHI in April 2010.  Affinity had been informed by CBS Evening News that a photocopier returned by Affinity to a leasing company contained EPHI on a hard drive.  CBS had purchased the copier in connection with an investigatory report.

HHS found that Affinity had 1) impermissibly disclosed EPHI of up to 344,579 individuals when it failed to properly erase photocopier hard drives prior to sending the photocopiers back to a leasing company; 2) failed to assess and identify the potential security risks and vulnerabilities of EPHI stored on the photocopier hard drives; and 3) failed to implement policies for the disposal of EPHI for those photocopier hard drives.

In addition to the payment, Affinity entered into a Corrective Action Plan (CAP) with HHS, requiring Affinity to use its best efforts to retrieve all hard drives that were contained on photocopiers previously leased by the plan, safeguard all EPHI contained therein from impermissible disclosure, and provide HHS with written certification of the actions taken.  If Affinity is unable to retrieve the hard drives, it must provide HHS with documentation explaining its best efforts.  Within 30 days of signing the CAP, Affinity must conduct a comprehensive risk analysis of EPHI security risks and vulnerabilities that incorporates all of its controlled, owned or leased electronic equipment and systems, and develop a plan to address and mitigate any security risks and vulnerabilities found by this analysis.  The plan must be forwarded to HHS for review.  Affinity must include any HHS revisions to the plan and train staff members on any revised policies and procedures within 30 days of HHS approval.

Reminder: Wipe Personal Info from Hardware Before Recycling, Disposing or Returning

According to the Director of the Office for Civil Rights of HHS Leon Rodriguez, “HIPAA covered entities are required to undertake a careful risk analysis to understand the threats and vulnerabilities to individuals’ data, and have appropriate safeguards in place to protect this information.”  This case is a reminder to “[m]ake sure that all personal information is wiped from hardware before it’s recycled, thrown away or sent back to the leasing agent.”

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Perkins Coie | Attorney Advertising

Written by:


Perkins Coie on:

Popular Topics
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:

Sign up to create your digest using LinkedIn*

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.

Already signed up? Log in here

*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.