Health care providers are well aware of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), taking precautions to ensure that protected health information (“PHI”) is protected on computers, phones, and in filing cabinets. It is standard provider practice to wipe the hard drives on computers and phones, but what about the office photocopier? A recent settlement with the Department of Health and Human Services’ Office of Civil Rights (“OCR”) shed light on a lesser known source of potential HIPAA violations: digital office equipment.
On August 14, 2013, HHS announced a $1,215,780 settlement with Affinity Health Plan, a not-for-profit managed care plan, for a potential HIPAA violation arising from the lease of a digital photocopier. Digital photocopiers contain hard drives, which store all of the information that is copied. For health care providers, this information includes medical records and other documents containing PHI (i.e. driver’s licenses and Social Security cards). While digital copiers have been capable of storing information for over a decade, this $1.2 million fine marks the first time a HIPAA breach settlement has resulted from a digital photocopier.
On April 15, 2010, Affinity Health Plan filed a breach report with OCR. The report divulged that Affinity Health Plan had impermissibly disclosed the PHI of over hundreds of thousands of individuals after returning leased photocopiers without wiping the hard drives. As a result, OCR began an investigation of potential violations of the HIPAA Privacy and Security. The investigation revealed a failure to asses potential security risks and to implement an acceptable digital use policy relating to the disposal of PHI maintained on photocopier hard drives.
In light of this landmark settlement, health care providers should conduct risk assessments for all equipment capable of storing digital information and ensure that security policies are updated accordingly.