Smith, Gambrell & Russell, LLP Smith, Gambrell & Russell, LLP

Menu Search

Experience

  • Industries
  • Services
  • Professionals

Resources

  • SGR Insights
  • News & Events
  • Client Access

About

  • The Firm
  • Careers
  • Contact
  • SGR Alumni
Share
  • Home
  • Newsletters
  • ERISA Newsletter
  • Photocopier HIPAA Breach Results in $1.2+ Million Settlement

Photocopier HIPAA Breach Results in $1.2+ Million Settlement

August 28, 2013

As part of a settlement with the U.S. Department of Health and Human Services (“HHS”), the Affinity Health Plan, Inc. (“Affinity”) will pay $1,215,780 for returning leased photocopiers that retained electronic protected health information (“ePHI”).

Final HIPAA Rule.  The Health Insurance Portability and Accountability Act (“HIPAA”) Privacy and Security Regulations (the “Final HIPAA Rule”) clarified that photocopiers, facsimiles and other office machines, which retain electronic data, are subject to the HIPAA privacy and security rules.  For more information about the Final HIPAA Rule, please see the January 23, 2013 theHRBenefitsAuthority, HHS Issues New Regulations on HIPAA Privacy and Security.

The Investigation.  An HHS investigation indicated that Affinity:

  • Impermissibly disclosed the ePHI of 344,579 individuals when it returned multiple photocopiers to a leasing company without erasing the data contained on the photocopier hard drives;
  • Failed to identify and assess ePHI stored on the photocopier hard drives when analyzing risks and vulnerabilities; and
  • Failed to implement policies for the disposal of ePHI on photocopier hard drives.

The Settlement.  As a result of the investigation, Affinity agreed to pay $1,215,780 and take corrective action, which included retrieving the hard drives, conducting a risk assessment on all electronic equipment and updating its HIPAA policies and procedures.

Next Steps.  This investigation and settlement emphasize the need for employers and committees, acting on behalf of, or with respect to, health plans to remove ePHI from any office machine that retains electronic data at the end of a lease term.

As a reminder, employers and committees should also update their HIPAA privacy and security policies and procedures and amend most business associate agreements in accordance with the Final HIPAA Rule by September 23, 2013.

Contact Information.  For more information on this subject, please contact Amy Heppner (404.888.8825), Kelly Meyers (404.888.8838), or Leslie Schneider (770.863.3617).

Please click here for a PDF of this newsletter.

Smith, Gambrell & Russell, LLP

SGRLAW®

Experience

  • Industries
  • Services
  • Professionals

Resources

  • SGR Insights
  • News & Events
  • Client Access

About

  • The Firm
  • Careers
  • Contact
  • SGR Alumni

Notices

  • Site Terms
  • Privacy Policy
  • Cookies Policy
  • Transparency In Coverage Rule

Languages

  • Español
  • Deutsch
  • 한국어
  • 日本語
  • 中文
  • Visit our Twitter profile
  • Visit our LinkedIn page
  • Visit our YouTube channel
  • Chambers and Partners Best Law Firms
Search
Remote Access

© 2026 Smith, Gambrell & Russell, LLP

  • Facebook
  • Twitter
  • LinkedIn
  • More Networks
Share via
Facebook
X (Twitter)
LinkedIn
Mix
Email
Print
Copy Link
Powered by Social Snap
Copy link
CopyCopied
Powered by Social Snap
This website uses cookies to improve functionality and performance. If you continue browsing the site, you are giving implied consent to the use of cookies on this website.