Under The New HIPAA Regime, A Lost Laptop Costs $1.5 Million But A Leased Photocopier Costs Almost As Much

Nearly one year after a Massachusetts provider paid $1.5 million to settle potential HIPAA violations for the theft of an unencrypted laptop containing protected health information (PHI), providers are reminded once again of how severe the consequences of a HIPAA breach can be. On August 14, 2013 the Department of Health and Human Services (HHS) announced that it entered into a $1,215,780 settlement agreement with Affinity Health Plan, Inc. for potential HIPAA violations involving the breach of unsecured PHI stored in multiple photocopiers.

As required by the HITECH Breach Notification Rule, Affinity filed a report with the HHS Office for Civil Rights (OCR) after learning that photocopiers previously leased by Affinity still had PHI on the hard drives when Affinity returned them to the leasing agent. It is estimated that as many as 344,579 individuals were affected by Affinity's failure to erase data contained on the hard drives. After investigating the incident, the OCR determined that the impermissible disclosure of PHI was not Affinity's only wrongdoing. Affinity also breached the HIPAA Security Rule when it failed to implement policies and procedures for returning the photocopiers and failed to incorporate PHI stored on the photocopiers in its analysis of security risks and vulnerabilities.

In addition to the settlement payment, Affinity entered into a Corrective Action Plan with the OCR that requires Affinity to: 1) use its best efforts to retrieve all photocopiers previously leased from the leasing agent and safeguard the PHI; and 2) conduct a comprehensive analysis of the security risks and vulnerabilities of all electronic equipment and systems used and develop a plan to mitigate any risks.

Additional Resources

In November 2010, the Federal Trade Commission (FTC) issued guidance on safeguarding data stored in the hard drives of photocopiers. The guidance can be found here.

What Providers Should Know

  • PHI is not just stored in computers and laptops—photocopiers, fax machines, tablets, cell phones and other electronic devices have storage capabilities, making them susceptible to security breaches. Providers need to identify and evaluate the risks presented by these data storage media as part of a sound risk analysis.
  • Both covered entities and business associates should have appropriate safeguards in place to protect PHI across any and all types of electronic devices.
  • Covered entities and business associates that utilize leased electronic devices and systems should conduct a risk analysis and set forth policies and procedures to properly erase PHI from the devices before returning them to the leasing agent. This also applies to those that own electronic devices and are looking to recycle, sell, or dispose of them.


DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Polsinelli | Attorney Advertising

Written by:


Polsinelli on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:

Sign up to create your digest using LinkedIn*

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.

Already signed up? Log in here

*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.