In an August 14, 2013 press release, the Department of Health and Human Services (“HHS”) announced that Affinity Health Plan, Inc. will settle potential violations of the HIPAA Privacy and Security Rules for $1,215,780. Affinity is a not-for-profit managed care plan serving the New York metropolitan area.
The HHS Office of Civil Rights (“OCR”) investigation revealed that Affinity impermissibly disclosed the protected health information of up to 344,579 individuals when it returned multiple photocopiers to a leasing agent without erasing the data contained on the copier hard drives. Affinity first became aware of the potential breach of unsecured protected health information when contacted by television network CBS. CBS Evening News had purchased a photocopier previously leased by Affinity. CBS informed Affinity that the copier that Affinity had used contained confidential medical information on the hard drive. OCR’s investigation revealed that Affinity failed to conduct a proper risk analysis of electronic protected health information stored on photocopier hard drives as required by the HIPAA Security Rule, and failed to implement policies and procedures when returning the photocopiers to its leasing agents.
In addition to the over $1.2 million payment, the settlement includes a corrective action plan requiring Affinity to use its best efforts to retrieve all hard drives that were contained on photocopiers that were previously leased by Affinity that remain in the possession of the leasing agent, and to take certain measures to safeguard all PHI. OCR Director Leon Rodriguez stated in the press release, “This settlement illustrates an important reminder about equipment designed to retain electronic information: Make sure that all personal information is wiped from hardware before it’s recycled, thrown away or sent back to a leasing agent.”
The resolution agreement between OCR and Affinity and the corrective action plan can be found here.