The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) recently announced its fourth resolution agreement of 2013. Affinity Health Plan, Inc., a nonprofit managed care plan serving the New York metropolitan area, has agreed to settle potential violations of the HIPAA Privacy and Security Rules for $1.2 million. The resolution agreement relates to Affinity’s April 15, 2010, report to OCR of an incident where Affinity was contacted by a representative of CBS Evening News regarding an investigative report that CBS had purchased a photocopier previously leased by Affinity on which the hard drive contained the confidential medical information of approximately 344,579 individuals.

On May 19, 2010, in response to Affinity’s report, OCR initiated its investigation into Affinity’s compliance with the Privacy, Security and Breach Notification Rules. OCR’s investigation indicated the following:

  • Affinity impermissibly disclosed electronic protected health information (ePHI) when it failed to properly erase photocopier hard drives prior to sending the photocopiers to a leasing company;
  • Affinity failed to assess and identify the security risks and vulnerabilities of ePHI stored in the photocopier hard drives; and
  • Affinity failed to implement its policies for the disposal of ePHI with respect to the photocopier hard drives.

In addition to the settlement amount, Affinity agreed to a 120-day corrective action plan that provides for the following:

  • Affinity will use its best efforts to retrieve all photocopier hard drives contained in photocopiers previously leased by Affinity that remain in the possession of the leasing agent and safeguard all ePHI contained therein from impermissible disclosure. Affinity must either provide documentation of best efforts or provide written certification that it has completed this requirement.
  • Affinity will conduct a comprehensive risk analysis of the ePHI security risks and vulnerabilities that includes all electronic equipment and systems controlled, owned or leased by Affinity. This risk analysis must be provided to OCR for review and recommended changes prior to implementation and training of Affinity staff.

Directly addressed in HHS’s press release regarding the Affinity settlement, HHS advises covered entities to be cognizant of the importance of safeguarding sensitive data, referring to FTC guidanceNIST guidance and OCR training. Sensitive data can be stored on devices beyond just laptops, thumb drives and external hard drives. As a result, determining whether there are other devices and equipment that may be storing ePHI that have not been previously considered should be part of your periodic risk assessment. With enforcement of the Final Rule beginning on September 23, 2013, liability for potential HIPAA violations, such as the above, also will extend directly to business associates that receive or store PHI.