Under The New HIPAA Regime, A Lost Laptop Costs $1.5 Million But A Leased Photocopier Costs Almost As Much

Nearly one year after a Massachusetts provider paid $1.5 million to settle potential HIPAA violations for the theft of an unencrypted laptop containing protected health information (PHI), providers are reminded once again of how severe the consequences of a HIPAA breach can be. On August 14, 2013 the Department of Health and Human Services (HHS) announced that it entered into a $1,215,780 settlement agreement with Affinity Health Plan, Inc. for potential HIPAA violations involving the breach of unsecured PHI stored in multiple photocopiers.

As required by the HITECH Breach Notification Rule, Affinity filed a report with the HHS Office for Civil Rights (OCR) after learning that photocopiers previously leased by Affinity still had PHI on the hard drives when Affinity returned them to the leasing agent. It is estimated that as many as 344,579 individuals were affected by Affinity's failure to erase data contained on the hard drives. After investigating the incident, the OCR determined that the impermissible disclosure of PHI was not Affinity's only wrongdoing. Affinity also breached the HIPAA Security Rule when it failed to implement policies and procedures for returning the photocopiers and failed to incorporate PHI stored on the photocopiers in its analysis of security risks and vulnerabilities.

In addition to the settlement payment, Affinity entered into a Corrective Action Plan with the OCR that requires Affinity to: 1) use its best efforts to retrieve all photocopiers previously leased from the leasing agent and safeguard the PHI; and 2) conduct a comprehensive analysis of the security risks and vulnerabilities of all electronic equipment and systems used and develop a plan to mitigate any risks.

Additional Resources

In November 2010, the Federal Trade Commission (FTC) issued guidance on safeguarding data stored in the hard drives of photocopiers. The guidance can be found here.

What Providers Should Know

  • PHI is not just stored in computers and laptops—photocopiers, fax machines, tablets, cell phones and other electronic devices have storage capabilities, making them susceptible to security breaches. Providers need to identify and evaluate the risks presented by these data storage media as part of a sound risk analysis.
  • Both covered entities and business associates should have appropriate safeguards in place to protect PHI across any and all types of electronic devices.
  • Covered entities and business associates that utilize leased electronic devices and systems should conduct a risk analysis and set forth policies and procedures to properly erase PHI from the devices before returning them to the leasing agent. This also applies to those that own electronic devices and are looking to recycle, sell, or dispose of them.


Written by:

Published In:


DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Polsinelli | Attorney Advertising

Don't miss a thing! Build a custom news brief:

Read fresh new writing on compliance, cybersecurity, Dodd-Frank, whistleblowers, social media, hiring & firing, patent reform, the NLRB, Obamacare, the SEC…

…or whatever matters the most to you. Follow authors, firms, and topics on JD Supra.

Create your news brief now - it's free and easy »

All the intelligence you need, in one easy email:

Great! Your first step to building an email digest of JD Supra authors and topics. Log in with LinkedIn so we can start sending your digest...

Sign up for your custom alerts now, using LinkedIn ›

* With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name.