In 2010, Affinity Health Plan, Inc., a New York not-for-profit managed care plan, received some bad news after learning that it was an unwitting player in a CBS Evening News investigation on leased photocopiers. In its investigation, CBS went to a New Jersey warehouse and purchased several photocopiers, which included one previously leased by Affinity. With little effort, CBS was able to retrieve 300 pages of medical records from the Affinity photocopier’s hard drive, including patient test results, diagnostic assessments, and drug prescriptions. As a result, Affinity was required to file a breach report with the U.S. Department of Health and Human Services’s Office for Civil Rights and did so on April 15, 2010.
OCR’s resulting investigation found that: 1) Affinity unlawfully disclosed the electronic personal health information of 344,579 individuals; 2) Affinity failed to “assess and identify the potential security risks and vulnerabilities” related to the storage of electronic personal health information on photocopier hard drives; and 3) Affinity failed to develop and implement proper electronic personal health information disposal policies and procedures related to the use and return of leased photocopiers.
On August 14, 2013, HHS announced a $1,215,780 settlement with Affinity. In addition to this monetary penalty, Affinity is required to follow a Corrective Action Plan, which includes:
- 1. Affinity’s promised exercise of its “best efforts” to retrieve all remaining photocopier hard drives leased from its leasing agent, and if it is unable to retrieve any of these drives, Affinity must document its efforts to locate these hard drives and its reasons for its inability to do so; and
- 2. Affinity must conduct a comprehensive risk analysis of “all [its] electronic equipment and systems controlled, owned or leased;” develop a plan to mitigate any “security risks and vulnerabilities” identified by its risk analysis; and revise any related policies and procedures to ensure compliance with its findings.
In announcing the above settlement, the Director of HHS’s Office of Civil Rights, Leon Rodriguez, sent a clear message to the healthcare industry, stating that entities covered under the Health Insurance Portability and Accountability Act “are required to undertake a careful risk analysis to understand the threats and vulnerabilities to individuals’ data, and have appropriate safeguards in place to protect this information.” He went on to say that “[t]his settlement illustrates an important reminder about equipment designed to retain electronic information: make sure that all personal information is wiped from hardware before it’s recycled, thrown away or sent back to a leasing agent.”
So, what are some lessons to be learned from the Affinity copier snafu? The Federal Trade Commission, along with the National Institute of Standards and Technology, offers some guidance on how to properly secure and destroy electronic personal health information from photocopier hard drives. Most importantly, photocopiers should be maintained and monitored by appropriately trained Information Technology staff. Secondly, data protection technology, such as encryption and data overwriting software, should be used to ensure the security and, when necessary, the destruction of electronic personal health information. Finally, written policies and procedures related to the use and disposal of photocopiers are highly advisable.