Photocopier-Based Breach Leads to $1.2 Million Settlement of HIPAA Claims

The Department of Health and Human Services recently announced that Affinity Health Plan, Inc., a New York-based non-for-profit health plan, agreed to pay the Office for Civil Rights over $1.2 million to settle alleged violations of the Health Insurance Portability and Accountability Act's Security Rule. The case stemmed from Affinity's alleged failure to erase protected health information from leased photocopiers before returning the photocopiers to the leasing agent. The photocopiers had protected health information on more than 3000,000 individuals still stored on their hard drives. The error was discovered when CBS News subsequently purchased one of the photocopiers from the leasing agent and discovered the information on the hard drives, and made the issue public. Affinity self-reported the error to the OCR and the OCR concluded that Affinity had improperly disclosed PHI, failed to assess and identify security risks related to PHI on photocopier hard drives, and failed to implement policies for disposing of PHI on photocopier hard drives.

TIP: This case is a reminder to make sure that all sensitive information is securely destroyed before returning leased equipment.   

This tip has been created for information and planning purposes. They are not intended to be, nor should they be substituted for, legal advice, which turns on specific facts.