Nearly one year after a Massachusetts provider paid $1.5 million to settle potential HIPAA violations for the theft of an unencrypted laptop containing protected health information (PHI), providers are reminded once again of how severe the consequences of a HIPAA breach can be. On August 14, 2013 the Department of Health and Human Services (HHS) announced that it entered into a $1,215,780 settlement agreement with Affinity Health Plan, Inc. for potential HIPAA violations involving the breach of unsecured PHI stored in multiple photocopiers.

As required by the HITECH Breach Notification Rule, Affinity filed a report with the HHS Office for Civil Rights (OCR) after learning that photocopiers previously leased by Affinity still had PHI on the hard drives when Affinity returned them to the leasing agent. It is estimated that as many as 344,579 individuals were affected by Affinity's failure to erase data contained on the hard drives. After investigating the incident, the OCR determined that the impermissible disclosure of PHI was not Affinity's only wrongdoing. Affinity also breached the HIPAA Security Rule when it failed to implement policies and procedures for returning the photocopiers and failed to incorporate PHI stored on the photocopiers in its analysis of security risks and vulnerabilities.

In addition to the settlement payment, Affinity entered into a Corrective Action Plan with the OCR that requires Affinity to: 1) use its best efforts to retrieve all photocopiers previously leased from the leasing agent and safeguard the PHI; and 2) conduct a comprehensive analysis of the security risks and vulnerabilities of all electronic equipment and systems used and develop a plan to mitigate any risks.

Additional Resources

In November 2010, the Federal Trade Commission (FTC) issued guidance on safeguarding data stored in the hard drives of photocopiers. The guidance can be found here.

What Providers Should Know