Failure to Erase PHI from Photocopiers leads to $1.2 million HIPAA Settlement for Affinity Health Plan

New York insurer Affinity Health Plan will pay $1.2 million to resolve allegations it breached HIPAA by returning leased photocopiers without deleting all information from the hard drives of the copiers that contained protected data involving 345,000 patients, federal regulators said on Wednesday, August 14. Affinity reported the breach as required by the breach notification rules in the HITECH Act of 2009 and Omnibus Rule released this year.

Affinity learned of the breach from reporters at CBS Evening news, who purchased one of the copiers and discovered ePHI on the hard drives. This is another harsh reminder that copy machines are a frequent source of unsecured PHI that is not generally scrubbed by the health care provider.

Affinity entered into a Corrective Action Plan that addressed their failure to provide physical safeguards outlined in the Security Rule, lack of a proper risk analysis to determine potential vulnerabilities, as well as insufficient policies and procedures applicable to the issue. “This settlement illustrates an important reminder about equipment designed to retain electronic information: Make sure that all personal information is wiped from hardware before it’s recycled, thrown away or sent back to a leasing agent,” said Leon Rodriguez, director of HHS’s Office for Civil Rights.

Written by: Stephen Angelette

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.