According to a press release from the U.S. Department of Health and Human Services (“DHHS”), Affinity Health Plan, Inc., a not-for-profit managed care plan in the New York metropolitan area, will settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Privacy and Security Rules for $1,215,780. Affinity filed a breach report with the DHHS Office for Civil Rights (“OCR”) on April 15, 2010, as required by the Health Information Technology for Economic and Clinical Health (“HITECH Act”) Breach Notification Rule, which requires HIPAA covered entities to notify DHHS of a HIPAA breach of unsecured protected health information (“PHI”). Affinity filed the breach report after a representative of CBS Evening News had informed Affinity that, as part of an investigatory report, CBS had purchased a photocopier previously leased by Affinity and that the copier that Affinity had used contained confidential medical information on the hard drive.

Also according to the press release, OCR’s investigation indicated that Affinity impermissibly disclosed the PHI of up to 344,579 individuals when it returned multiple photocopiers to leasing agents without erasing the data contained on the copier hard drives. OCR also found that Affinity had failed to incorporate the electronic protected health information (“EPHI”) stored on photocopier hard drives in its Risk Analysis as required by the Security Rule and had failed to implement policies and procedures regarding returning the photocopiers to leasing agents.

The press release also quoted OCR Director Leon Rodriguez reminding covered entities to make sure that all personal information is wiped from hardware before it is recycled, thrown away, or sent back to leasing agents, to conduct a careful risk analysis to understand the threats and vulnerabilities to individuals’ data, and to have appropriate safeguards in place to protect this information.

Also according to the press release, the settlement also includes a corrective action plan requiring Affinity to use its best efforts to retrieve all hard drives that were contained on photocopiers previously leased by the plan that remain in the possession of the leasing agent, and to take certain measures to safeguard all EPHI.

This settlement illustrates my previous admonitions: wipe copier hard drives, conduct and regularly update thorough risk analyses, implement reasonable and appropriate security measures based on those risk analyses, implement and enforce required and otherwise reasonable and appropriate policies and procedures, and put into place reasonable and appropriate safeguards to protect PHI and EPHI. It also illustrates that DHHS is serious about investigating breaches violations—not only breaches and violations by large covered entities, but also breaches and violations by small covered entities, “other individuals,” such as visitors and fake doctors, business associates, hospices, state and county government agencies, insurance companies, and now not-for-profit covered entities. Check my previous blog entries and my latest new and revised policies on the Premium Member section of the Veterans Press website.

The press release also includes helpful links as follows: more information on safeguarding sensitive data stored in the hard drives of digital copiers; National Institute of Standards and Technology (“NIST”) guidance on media sanitation; and free OCR training on compliance with the HIPAA Privacy and Security Rules for continuing medical education credit.