Photocopiers and HIPAA: A Potential Million Dollar Problem

Posted on Health Care Law News by author

Under a recent settlement with the U.S. Department of Health and Human Services (HHS), Affinity Health Plan, Inc., settled potential violations of the HIPAA Privacy and Security Rules for $1,215,780. HHS-OCR’s investigation revealed that Affinity impermissibly disclosed (without consent) the protected health information of up to 344,579 individuals when it returned multiple photocopiers to a leasing agent without erasing the data contained on the copiers’ hard drives. Affinity actually its breach report with HHS-OCR after it was informed by the next company to lease one of the photocopiers that the patient data remained on the hard drive. In addition, HHS-OCR’s investigation revealed that Affinity failed to incorporate the electronic protected health information stored in copiers’ hard drives in its analysis of risks and vulnerabilities as required by the Security Rule, and failed to implement policies and procedures when returning the hard drives to its leasing agents.

This settlement underscores the very serious HIPAA compliance risks facing both Covered Entities and their Business Associates in the digital age, as well the critical importance of a conducting a proactive and comprehensive HIPAA Risk Analysis led by qualified legal counsel.