The Department of Health and Human Services (HHS) announced a settlement on August 14, 2013, with Affinity Health Plan (Affinity), a not-for-profit managed care plan, which included a payment of $1,215,780, for a HIPAA security violation caused by Affinity’s failure to remove Electronic Protected Health Information (EPHI) from the hard drive of a leased photocopier that was returned to the leasing company.

As required by the Health Information Technology for Economic and Clinical Health Act (HITECH), Affinity notified HHS of the breach of unsecured EPHI in April 2010.  Affinity had been informed by CBS Evening News that a photocopier returned by Affinity to a leasing company contained EPHI on a hard drive.  CBS had purchased the copier in connection with an investigatory report.

HHS found that Affinity had 1) impermissibly disclosed EPHI of up to 344,579 individuals when it failed to properly erase photocopier hard drives prior to sending the photocopiers back to a leasing company; 2) failed to assess and identify the potential security risks and vulnerabilities of EPHI stored on the photocopier hard drives; and 3) failed to implement policies for the disposal of EPHI for those photocopier hard drives.

In addition to the payment, Affinity entered into a Corrective Action Plan (CAP) with HHS, requiring Affinity to use its best efforts to retrieve all hard drives that were contained on photocopiers previously leased by the plan, safeguard all EPHI contained therein from impermissible disclosure, and provide HHS with written certification of the actions taken.  If Affinity is unable to retrieve the hard drives, it must provide HHS with documentation explaining its best efforts.  Within 30 days of signing the CAP, Affinity must conduct a comprehensive risk analysis of EPHI security risks and vulnerabilities that incorporates all of its controlled, owned or leased electronic equipment and systems, and develop a plan to address and mitigate any security risks and vulnerabilities found by this analysis.  The plan must be forwarded to HHS for review.  Affinity must include any HHS revisions to the plan and train staff members on any revised policies and procedures within 30 days of HHS approval.

Reminder: Wipe Personal Info from Hardware Before Recycling, Disposing or Returning

According to the Director of the Office for Civil Rights of HHS Leon Rodriguez, “HIPAA covered entities are required to undertake a careful risk analysis to understand the threats and vulnerabilities to individuals’ data, and have appropriate safeguards in place to protect this information.”  This case is a reminder to “[m]ake sure that all personal information is wiped from hardware before it’s recycled, thrown away or sent back to the leasing agent.”

© 2013 Perkins Coie LLP