Health Plan Pays $1.2 Million HIPAA Settlement for Impermissible Disclosures of E-PHI Involving Photocopiers | Practical Law

Health Plan Pays $1.2 Million HIPAA Settlement for Impermissible Disclosures of E-PHI Involving Photocopiers | Practical Law

The Department of Health and Human Services (HHS) has announced a settlement between its Office for Civil Rights (OCR) and a health plan to settle alleged violations of privacy and security requirements under the Health Information Portability and Accountability Act (HIPAA). The plan impermissibly disclosed the electronic protected health information (electronic PHI) of up to 344,579 individuals by failing to properly erase photocopier hard drives before returning the photocopiers to a leasing company.

Health Plan Pays $1.2 Million HIPAA Settlement for Impermissible Disclosures of E-PHI Involving Photocopiers

by Practical Law Employee Benefits & Executive Compensation
Published on 14 Aug 2013USA (National/Federal)
The Department of Health and Human Services (HHS) has announced a settlement between its Office for Civil Rights (OCR) and a health plan to settle alleged violations of privacy and security requirements under the Health Information Portability and Accountability Act (HIPAA). The plan impermissibly disclosed the electronic protected health information (electronic PHI) of up to 344,579 individuals by failing to properly erase photocopier hard drives before returning the photocopiers to a leasing company.
On August 7, 2013, HHS' Office for Civil Rights (OCR) entered into a resolution agreement with a health plan (and HIPAA covered entity), Affinity Health Plan, Inc., to settle alleged violations of HIPAA's privacy and security rules. OCR began its investigation after Affinity notified HHS of a breach involving electronic protected health information (electronic PHI), as required under the Health Information Technology for Economic and Clinical Health (HITECH) Act. Affinity was informed of the situation by a representative of CBS Evening News which, as part of an investigatory report:
  • Purchased a photocopier that was previously leased by Affinity.
  • Found confidential medical information on the photocopier's hard drive.
The OCR investigation indicated that Affinity:
  • Impermissibly disclosed the electronic PHI of up to 344,579 individuals by failing to properly erase photocopier hard drives before returning the photocopiers to the leasing company.
  • Failed to assess and identify the potential security risks of electronic PHI stored in the photocopier hard drives.
  • Did not implement its policies for disposing of electronic PHI on the photocopier hard drives.
On August 14, 2013, OCR announced a resolution agreement with Affinity, under which the health plan will:
  • Pay HHS $1,215,780.
  • Implement a corrective action plan requiring it to:
    • use best efforts to retrieve all hard drives that were contained on photocopiers that the plan previously leased and that remain in the possession of the leasing agent, and, if it cannot retrieve the hard drives, provide documentation to OCR explaining why it was unable to do so;
    • conduct a comprehensive risk analysis of security risks and vulnerabilities to electronic PHI in all electronic equipment and systems controlled, owned or leased by Affinity; and
    • develop a plan to address and mitigate any security risks and vulnerabilities regarding electronic PHI.

Practical Impact

This resolution agreement, involving a piece of office equipment that many employees use on a daily basis, is a useful (though costly) reminder that personal information should be removed from hardware before the equipment is recycled, discarded or returned to a leasing agent. This resolution agreement is the latest in a series of settlements issued in advance of the compliance date (September 23, 2013) for HHS' final regulations under HIPAA and the HITECH Act. For a discussion of the final regulations, see Practice Notes, HIPAA Privacy Rule and HIPAA Security Rule.