Protected Health Information (PHI) May Be In More Places Than You Think
Thursday, August 29, 2013
Print Mail Download i

A recent HIPAA settlement serves as an important reminder that protected health information (PHI) may be stored on “ordinary” office equipment such as printers, photocopiers, scanners and fax machines, and not just on computer hard drives.  On August 14, 2013, the Department of Health and Human Services (HHS) announced a settlement with the not-for-profit managed care plan Affinity Health Plan, Inc. (“Affinity”) for over $1.2 million in connection with HIPAA Privacy and Security breaches stemming from PHI stored on a photocopier hard drive.

In 2010, Affinity notified HHS of a security breach after company representatives heard about it on the news.  Apparently, CBS Evening News informed the entity that, as part of an investigative report, CBS had purchased a photocopier previously leased by Affinity and found confidential medical information on the photocopier’s hard drive.  Affinity’s breach disclosure led to an HHS investigation that revealed Affinity failed to assess the potential security risks from PHI stored on the copier hard drive and to implement policies for disposing of the PHI before returning the copier to the office equipment leasing company.  It is estimated that up to 344,579 individuals have been affected by the breach.

The settlement agreement includes a corrective action plan which requires Affinity to use its “best efforts to retrieve all photocopier hard drives that were contained in photocopiers previously leased by Affinity that remain in the possession of [the leasing agent].”

HIPAA covered entities and business associates can learn a valuable lesson from the Affinity settlement and include PHI stored on office equipment hard drives when performing a required HIPAA risk assessment.  PHI stored on office equipment hard drives is easy to overlook because such equipment is not used for data storage, but that data must be removed before office equipment is returned or thrown away.

The HIPAA Auditor Cometh…Again.

Now is a great time for HIPAA covered entities and business associates to update their HIPAA risk assessments and to review privacy and security policies and procedures with staff members.  HHS is expected to resume the HIPAA compliance audit program after October 1, 2013, with the audit program covering a larger number and broader range of organizations than the 2012 audit program that looked at 115 large and small covered entities.

© 2024 by McBrayer, McGinnis, Leslie & Kirkland, PLLC. All rights reserved.

Current Legal Analysis

More from McBrayer, McGinnis, Leslie and Kirkland, PLLC

Businesses Receive Greater Clarity on Obligations under Federal Law
by: McBrayer, McGinnis, Leslie & Kirkland, PLLC
Public Improvement Liens on Government-Owned Projects
by: Brendan R. Yates
Providers Wary after First Ruling on CMS 60-Day Rule
by: Christopher J. Shaughnessy
Anheuser-Busch to sell distributorship in compliance with Kentucky law
by: McBrayer, McGinnis, Leslie & Kirkland, PLLC
Estate Planning for Same-Sex Couples After Obergefell
by: McBrayer, McGinnis, Leslie & Kirkland, PLLC
CMS Sends a Lifeline on Stark after Tuomey Affirmed: What Health Providers Should Know
by: Anne-Tyler Morgan
Disparate Impact Claims Fair Game under the Fair Housing Act
by: Preston Clark Worley
How Should Employers Provide Bathrooms for Transgender Employees? OSHA Has the Answer.
by: Amy D. Cubbage
Congratulations on the Birth of Your New Tax Exemption! (Tax Breaks for New Parents)
by: Matthew Koch
NLRB Protects a New Kind of Employee Activity: Worrying About Your Job
by: Luke A. Wingfield

Upcoming Legal Education Events

 

NLR Logo

We collaborate with the world's leading lawyers to deliver news tailored for you. Sign Up to receive our free e-Newsbulletins

 

Sign Up for e-NewsBulletins