by Phil Larson
HHS Settles with Health Plan in Photocopier Breach Case
Under a settlement with the U.S. Department of Health and Human Services (HHS), Affinity Health Plan, Inc. will settle potential violations of the HIPAA Privacy and Security Rules for $1,215,780. OCR’s investigation indicated that Affinity impermissibly disclosed the protected health information of up to 344,579 individuals when it returned multiple photocopiers to a leasing agent without erasing the data contained on the copier hard drives. In addition, the investigation revealed that Affinity failed to incorporate the electronic protected health information stored in copier’s hard drives in its analysis of risks and vulnerabilities as required by the Security Rule, and failed to implement policies and procedures when returning the hard drives to its leasing agents.
The settlement comes as the September 24, 2013 deadline for Covered Entities and their business partners (business associates) to update their processes to comply with changes to HIPAA’s regulations adopted by OCR earlier this year.
Please note, this issue is not confined to returning of printers/copiers. If the device contains PHI, it is also subject to administrative, technical and physical safeguards under HIPAA where it stands.
If you need assistance with HIPAA compliance, please contact Kinney & Larson.
HHS Settles with Health Plan in Photocopier Breach Case
Under a settlement with the U.S. Department of Health and Human Services (HHS), Affinity Health Plan, Inc. will settle potential violations of the HIPAA Privacy and Security Rules for $1,215,780. OCR’s investigation indicated that Affinity impermissibly disclosed the protected health information of up to 344,579 individuals when it returned multiple photocopiers to a leasing agent without erasing the data contained on the copier hard drives. In addition, the investigation revealed that Affinity failed to incorporate the electronic protected health information stored in copier’s hard drives in its analysis of risks and vulnerabilities as required by the Security Rule, and failed to implement policies and procedures when returning the hard drives to its leasing agents.
- Read the Resolution Agreement (PDF)
The settlement comes as the September 24, 2013 deadline for Covered Entities and their business partners (business associates) to update their processes to comply with changes to HIPAA’s regulations adopted by OCR earlier this year.
Please note, this issue is not confined to returning of printers/copiers. If the device contains PHI, it is also subject to administrative, technical and physical safeguards under HIPAA where it stands.
If you need assistance with HIPAA compliance, please contact Kinney & Larson.