HIPAA Compliance: New York Health Plan Sanctioned for Photocopier Breach

In an August 14, 2013 press release, the Department of Health and Human Services (“HHS”) announced that Affinity Health Plan, Inc. will settle potential violations of the HIPAA Privacy and Security Rules for $1,215,780. Affinity is a not-for-profit managed care plan serving the New York metropolitan area.

The HHS Office of Civil Rights (“OCR”) investigation revealed that Affinity impermissibly disclosed the protected health information of up to 344,579 individuals when it returned multiple photocopiers to a leasing agent without erasing the data contained on the copier hard drives. Affinity first became aware of the potential breach of unsecured protected health information when contacted by television network CBS.  CBS Evening News had purchased a photocopier previously leased by Affinity. CBS informed Affinity that the copier that Affinity had used contained confidential medical information on the hard drive. OCR’s investigation revealed that Affinity failed to conduct a proper risk analysis of electronic protected health information stored on photocopier hard drives as required by the HIPAA Security Rule, and failed to implement policies and procedures when returning the photocopiers to its leasing agents.

In addition to the over $1.2 million payment, the settlement includes a corrective action plan requiring Affinity to  use its best efforts to retrieve all hard drives that were contained on photocopiers that were previously leased by Affinity that remain in the possession of the leasing agent, and to take certain measures to safeguard all PHI. OCR Director Leon Rodriguez stated in the press release, “This settlement illustrates an important reminder about equipment designed to retain electronic information: Make sure that all personal information is wiped from hardware before it’s recycled, thrown away or sent back to a leasing agent.”

The resolution agreement between OCR and Affinity and the corrective action plan can be found here.

About Bose McKinney & Evans LLP

Bose McKinney & Evans LLP is a business law firm, headquartered in Indianapolis, Indiana, serving both publicly held and privately held businesses, governmental entities and high-growth industries. Our clients include Fortune 100 companies, international manufacturers, national and regional financial institutions, agribusinesses, sports teams, university-incubated start-ups, media, utilities, cities and schools, to name a few. We strive to build strong relationships with our clients as key business advisors, to exceed expectations in the quality of our work, to be knowledgeable about our clients’ businesses and sectors, to be responsive to service needs and to continually seek to improve the delivery of client services. Our ultimate focus is on our clients.
This entry was posted in HIPAA and tagged , , , , , , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s