Today the U.S. Department of Health and Human Services announced a $1,215,780 settlement with a not-for-profit managed care plan serving the New York metropolitan area (the Plan) to resolve potential HIPAA Privacy and Security violations stemming from a lack of sanitation of photocopier hard drives.

In accordance with the Health Information Technology for Economic and Clinical Health Act (HITECH), the Plan filed a breach report with HHS in April 2010 after the Plan was informed by CBS Evening News that, as part of an investigatory report, CBS had purchased a photocopier previously leased by the Plan.  CBS informed the Plan that the copier hard drive contained health information.

The Office for Civil Right (OCR) investigation indicated that the protected health information (PHI) of up to 344,579 individuals was impermissibly disclosed when the Plan returned multiple photocopiers to a leasing agent without erasing the PHI contained on the copier hard drives. The investigation also identified that the Plan failed to incorporate electronic PHI stored on the copier hard drives in the Plan’s required security risk analysis and failed to implement related policies and procedures when returning copiers to the Plan’s leasing agents.

The Plan’s corrective action plan requires it to: (1) conduct a comprehensive risk analysis of the Plan’s privacy and security risks and vulnerabilities and (2) use best efforts to retrieve all hard drives that were contained on photocopiers previously leased by the Plan that remain in the possession of the leasing agent and safeguard all electronic PHI contained therein.

This settlement emphasizes OCR’s focus on electronic device and media security.  Covered entities and business associates would be well advised to review all photocopier – and other hard drive and digital memory media – lease agreements for appropriate security measures.  When drafting new lease agreements, consider encryption and overwriting (or the ability to wipe) options and whether your organization is permitted to keep the hard drive when the device is returned so that the organization may sanitize the hard drive itself.  According to the National Institute of Standards and Technology (NIST) minimum sanitation recommendations for rendering data on photocopiers and other multifunctional devices infeasible for recovery include clearing, purging, and destroying.

More information regarding the Federal Trade Commission’s guidance on safeguarding sensitive data stored in the hard drives of copiers is available here and the NIST guidance on assessing security of multipurpose office machines and minimum guidelines for media sanitation is available here. More information regarding the CBS investigatory report is available here.