Photocopier Breach Illustrates Hidden Pitfalls of HIPAA’s Privacy and Security Rules
By: Jason Rimes
Photocopiers can be a source of great aggravation for a variety of reasons. They seem to always jam during that last-minute copy job right before a big meeting, or after hours when everyone who knows how to fix the jam has already left for the day. But next time you (finally) get rid of that frustrating machine sitting in your copy room to upgrade to the latest model that promises to never jam, consider what sort of information might need to be cleansed from the hard drive before it is taken away. Had health insurer Affinity Health Plan, Inc. (Affinity) made this inquiry prior to returning a number of photocopiers to an equipment lessor back in 2010, it might have saved itself a significant amount of money and photocopier-related aggravation.
According to a release from the U.S. Department of Health and Human Services (HHS) earlier this year, the hard drives of the above-mentioned photocopiers that Affinity returned to its equipment lessor contained the protected health information of close to 345,000 of its policyholders. Affinity only became aware that it released this protected health information in breach of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) privacy and security rules when it was contacted by a news program that had purchased one of the photocopiers as part of an investigatory report. Affinity self-reported the violation to HHS, and was fined over $1.2 million for the breach.
As stated by Leon Rodriguez, the director of the HHS Office for Civil Rights, “[t]his settlement illustrates an important reminder about equipment designed to retain electronic information: Make sure that all personal information is wiped from hardware before it’s recycled, thrown away or sent back to a leasing agent. HIPAA covered entities are required to undertake a careful risk analysis to understand the threats and vulnerabilities to individuals’ data, and have appropriate safeguards in place to protect this information.”
A full copy of the resolution agreement between HHS and Affinity can be found at the following link: