Nearly one year after a Massachusetts provider paid $1.5 million to settle potential HIPAA violations for the theft of an unencrypted laptop containing protected health information (PHI), providers are reminded once again of how severe the consequences of a HIPAA breach can be. On August 14, 2013 the Department of Health and Human Services (HHS) announced that it entered into a $1,215,780 settlement agreement with Affinity Health Plan, Inc. for potential HIPAA violations involving the breach of unsecured PHI stored in multiple photocopiers.
As required by the HITECH Breach Notification Rule, Affinity filed a report with the HHS Office for Civil Rights (OCR) after learning that photocopiers previously leased by Affinity still had PHI on the hard drives when Affinity returned them to the leasing agent. It is estimated that as many as 344,579 individuals were affected by Affinity's failure to erase data contained on the hard drives. After investigating the incident, the OCR determined that the impermissible disclosure of PHI was not Affinity's only wrongdoing. Affinity also breached the HIPAA Security Rule when it failed to implement policies and procedures for returning the photocopiers and failed to incorporate PHI stored on the photocopiers in its analysis of security risks and vulnerabilities.
In addition to the settlement payment, Affinity entered into a Corrective Action Plan with the OCR that requires Affinity to: 1) use its best efforts to retrieve all photocopiers previously leased from the leasing agent and safeguard the PHI; and 2) conduct a comprehensive analysis of the security risks and vulnerabilities of all electronic equipment and systems used and develop a plan to mitigate any risks.
In November 2010, the Federal Trade Commission (FTC) issued guidance on safeguarding data stored in the hard drives of photocopiers. The guidance can be found here.
What Providers Should Know
PHI is not just stored in computers and laptops—photocopiers, fax machines, tablets, cell phones and other electronic devices have storage capabilities, making them susceptible to security breaches. Providers need to identify and evaluate the risks presented by these data storage media as part of a sound risk analysis.
Both covered entities and business associates should have appropriate safeguards in place to protect PHI across any and all types of electronic devices.
Covered entities and business associates that utilize leased electronic devices and systems should conduct a risk analysis and set forth policies and procedures to properly erase PHI from the devices before returning them to the leasing agent. This also applies to those that own electronic devices and are looking to recycle, sell, or dispose of them.