August 28, 2013
As part of a settlement with the U.S. Department of Health and Human Services (“HHS”), the Affinity Health Plan, Inc. (“Affinity”) will pay $1,215,780 for returning leased photocopiers that retained electronic protected health information (“ePHI”).
Final HIPAA Rule. The Health Insurance Portability and Accountability Act (“HIPAA”) Privacy and Security Regulations (the “Final HIPAA Rule”) clarified that photocopiers, facsimiles and other office machines, which retain electronic data, are subject to the HIPAA privacy and security rules. For more information about the Final HIPAA Rule, please see the January 23, 2013 theHRBenefitsAuthority, HHS Issues New Regulations on HIPAA Privacy and Security.
The Investigation. An HHS investigation indicated that Affinity:
- Impermissibly disclosed the ePHI of 344,579 individuals when it returned multiple photocopiers to a leasing company without erasing the data contained on the photocopier hard drives;
- Failed to identify and assess ePHI stored on the photocopier hard drives when analyzing risks and vulnerabilities; and
- Failed to implement policies for the disposal of ePHI on photocopier hard drives.
The Settlement. As a result of the investigation, Affinity agreed to pay $1,215,780 and take corrective action, which included retrieving the hard drives, conducting a risk assessment on all electronic equipment and updating its HIPAA policies and procedures.
Next Steps. This investigation and settlement emphasize the need for employers and committees, acting on behalf of, or with respect to, health plans to remove ePHI from any office machine that retains electronic data at the end of a lease term.
As a reminder, employers and committees should also update their HIPAA privacy and security policies and procedures and amend most business associate agreements in accordance with the Final HIPAA Rule by September 23, 2013.