HHS SETTLES WITH HEALTH PLAN ON PHOTOCOPIER BREACH

On August 14, the Department of Health and Human Services (HHS) announced that it had reached a $1.2 million settlement with Affinity Health Plan, Inc. (Affinity) to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules. Affinity is an independent, not-for-profit managed care company that offers free or low-cost health insurance to residents of the New York metropolitan area.

Affinity had notified the HHS Office for Civil Rights (OCR) in April 2010 that it suffered a breach of unsecured protected health information (PHI) that had been stored on the hard drives of leased photocopiers and not deleted when the copiers were returned to their lessors. CBS Evening News had purchased one of the photocopiers as part of an investigatory report, and notified Affinity that its hard drive contained PHI. Affinity then notified OCR as required by the Breach Notification Rule of the Health Information Technology for Economic and Clinical Health (HITECH) Act.

OCR determined that Affinity had returned multiple photocopiers to their lessors without erasing the data from the copiers’ hard drives. Affinity estimated that up to 344,579 individuals may have been affected by the breaches. OCR’s investigation also uncovered other Security Rule violations, including that Affinity had failed to implement proper policies and procedures when returning the leased photocopiers.

In the HHS press release, OCR Director Leon Rodriguez said, “This settlement illustrates an important reminder about equipment designed to retain electronic information: Make sure that all personal information is wiped from hardware before it’s recycled, thrown away or sent back to a leasing agent.”

For a complete copy of the Update, please click here.