Who knew that photocopiers stored information? Apparently
"CBS Evening News" did, and now an April 2010
investigative report has led to a million-dollar HIPAA
settlement.
Affinity Health Plan, Inc. (Affinity), a New York-based,
not-for-profit health plan, agreed to pay the Office for Civil
Rights (OCR) $1,215,780 to settle potential violations of the
Health Information Portability and Accountability Act of 1996
(HIPAA) Privacy and Security Rules. The settlement resulted from a
breach self-report by Affinity, which first learned of the
electronic protected health information (PHI) stored on its
formerly leased photocopier's hard drive from "CBS Evening
News" (CBS).
In April 2010, CBS conducted an investigative report on the
security risks associated with digital photocopiers, which, since
2002, typically contain hard drives that can store an image of
every document copied, scanned, or emailed from the machine. As
part of the investigation, CBS purchased four randomly selected
used photocopiers, including one previously leased by Affinity. On
the machine's hard drive, CBS found 300 pages of
individuals' medical records.
Following Affinity's breach self-report, OCR found that
Affinity impermissibly disclosed PHI of up to 344,579 individuals
when it returned multiple photocopiers to leasing agents without
erasing the data contained on the machines' hard drives. OCR
further determined that Affinity (1) failed to include electronic
PHI stored on photocopiers' hard drives in its required
Security Rule risk analysis, and (2) failed to implement its
existing policies and procedures when returning photocopiers to its
leasing agents.
In addition to the $1.2 million settlement, the Resolution Agreement between OCR and Affinity
included a corrective action plan (CAP). The CAP requires Affinity
to use its best efforts to retrieve all hard drives that were
contained on photocopiers previously leased by Affinity and that
remain in the possession of the leasing agent. Affinity must also
(1) conduct a comprehensive risk analysis that incorporates all
electronic equipment and systems controlled, owned, or leased by
Affinity; (2) develop a plan to address and mitigate security risks
and vulnerabilities found in its analysis; and (3) if necessary,
revise its current policies and procedures accordingly.
The global take-away from this latest enforcement action is that an
entity's failure to comply with the obligation to conduct a
comprehensive Security Rule risk analysis remains OCR's primary, and most often used, trigger
to take significant enforcement action. Since almost every business
uses photocopiers, Affinity serves as a reminder that all covered
entities and business associates should implement policies and
procedures to ensure that all hard drives are scrubbed of PHI
before leaving their possession. More information on safeguarding
sensitive data stored in the hard drives of digital photocopiers
can be found here.
For additional information on OCR's enforcement activities,
visit the U.S. Department of Health and Human Services
website.
This article is presented for informational purposes only and is not intended to constitute legal advice.