Affinity Health Plan Inc. (AHP) has agreed to pay the federal government $1.2 million to settle allegations it violated the Health Insurance Portability and Accountability Act (HIPAA) by failing to erase protected health information from photocopiers it returned to equipment leasing agents. AHP filed a breach report with the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) in 2010 indicating that unsecured electronic protected health information (ePHI) for an estimated 344,579 patients was released because it had not erased the hard drives of leased photocopiers before it returned them. In the resulting settlement agreement, AHP agreed to pay $1,215,780 and to pay its own costs associated with the breach and meeting the requirements of the settlement agreement. The Health Information Technology for Economic and Clinical Health, or HITECH, Act, requires covered entities to notify HHS of any breach of any unsecured protected health information. According to OCR, AHP’s breach notification explained that it was informed by a representative of CBS Evening News that, as part of an investigatory report, CBS had purchased a photocopier previously leased by Affinity. CBS informed Affinity that the copier that Affinity had used contained confidential medical information on the hard drive. […]
Affinity Health Plan Inc. (AHP) has agreed to pay the federal government $1.2 million to settle allegations it violated the Health Insurance Portability and Accountability Act (HIPAA) by failing to erase protected health information from photocopiers it returned to equipment leasing agents.
AHP filed a breach report with the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) in 2010 indicating that unsecured electronic protected health information (ePHI) for an estimated 344,579 patients was released because it had not erased the hard drives of leased photocopiers before it returned them. In the resulting settlement agreement, AHP agreed to pay $1,215,780 and to pay its own costs associated with the breach and meeting the requirements of the settlement agreement. The Health Information Technology for Economic and Clinical Health, or HITECH, Act, requires covered entities to notify HHS of any breach of any unsecured protected health information.
According to OCR, AHP’s breach notification explained that it was informed by a representative of CBS Evening News that, as part of an investigatory report, CBS had purchased a photocopier previously leased by Affinity. CBS informed Affinity that the copier that Affinity had used contained confidential medical information on the hard drive. OCR’s investigation indicated that Affinity impermissibly disclosed the protected health information of these affected individuals when it returned multiple photocopiers to leasing agents without erasing the data contained on the copier hard drives.
Not only had AHP not erased the drives but, according to the investigation conducted by OCR, AHP failed to incorporate the photocopier hard drives in its security risk analysis. AHP also failed to implement polices and procedures covering the return of leased photocopiers to the leasing company.
One condition of the settlement agreement and its corrective action plan (CAP) requires AHP to employ its best efforts to retrieve all hard drives that were contained on photocopiers previously leased by the plan that remain in the possession of the leasing agent. AHP must document its efforts and explain any failure to retrieve a hard drive.
Consider the implications of this if your laboratory had to meet such a requirement. Generally, copiers are placed in convenient areas throughout a laboratory, are used for faxing and printing documents as well as copying. Just trying to figure out which machine might contain ePHI and how many patients might be involved would be a real challenge.
The settlement agreement and the incorporated CAP and the press release are available on the OCR Web site and should be reviewed by any security officer, privacy officer, and compliance officer who has HIPAA oversight responsibility. These documents contain important information and links to other training and guidance material that will help assess risk and vulnerabilities in your laboratory.
The terms of the CAP appear pretty onerous and include very short time frames to accomplish them. For instance, AHP has five days from the effective date of the settlement agreement to use its best efforts to retrieve the photocopier hard drives and secure the ePHI contained on them, or explain why it failed to retrieve any drives. It must provide OCR with documentation describing its best efforts and why it failed to retrieve any drives if that is the case. AHP must provide written certification to OCR that it has met this requirement.
Compliance with this corrective action is based on the review and acceptance of the documentation and written certification. Another requirement is that AHP must conduct a security risk analysis that incorporates all electronic equipment and systems controlled, owned, or leased by AHP within 30 days of the effective date. This requirement includes developing a plan to correct vulnerabilities found in the risk analysis and, if necessary, revise current policies and procedures accordingly.
AHP must submit these documents to OCR for review and then will have an additional 30 calendar days to respond to OCR comments and recommended changes. When that process is completed, AHP has 30 more days to implement the plan and train employees. The CAP requires AHP to retain the related documentation for six years. These requirements are pretty onerous, but if AHP doesn’t meet them or take appropriate action to seek extensions when needed, HHS may impose civil monetary penalties on AHP.
Takeaway: Security risk assessments must include any electronic device that has its own hard drive or internal storage and such devices must be properly disposed of (including documentation of disposal).