Yesterday, HHS announced a new HIPAA related settlement with Affinity Health Plan for $1,215,780 related to PHI maintained on leased copy machines.  This settlement follows an OCR investigation prompted by Affinity’s breach report filed on April 15, 2010.   Affinity became aware of the breach following notice from CBS Evening News.  Apparently, CBS purchased a photocopier previously leased by Affinity as part of an investigative report.  CBS then notified Affinity that the copy machine contained PHI on its hard drive.  Affinity reported that an estimated 344,579 individuals were affected by this breach.

OCR determined that Affinity improperly disclosed PHI when it returned its copy machines to the leasing agents without erasing the data on the copier hard drives.  Additionally, Affinity failed to include the copy machine hard drives in its HIPAA mandated risk analysis required by the Security Rule and failed to implement policies and procedures for wiping the hard drives when returning the photocopiers to its leasing agents.  Affinity also entered into a corrective action plan with the OCR to retrieve all hard drives contained on copy machines previously leased that remain in the possession of the leasing agent.

Covered Entities (and now business associates) need to make sure that all electronic devices, including copy machines, medical equipment computers, mobile phones, tablets, etc. are incorporated into their HIPAA Security Policies and Procedures and are evaluated to ensure that PHI is wiped prior to returning or selling any such devices.  The FTC has issued a report on safeguarding data stored in hard drives of digital copiers and NIST has also issued guidance on media sanitation.

For more information regarding how to comply with the HIPAA Security Rules please contact Elana Zana.