Copiers result in $1.2 million settlement and CAP for Affinity Health

Yet another covered entity has been hit with over $1 million to settle potential violations of HIPAA, this time for improper disposal of photocopiers.  Last week, OCR announced a settlement had been reached with Affinity Health Plan, Inc. ("Affinity"), a managed care plan in New York, for potential HIPAA violations stemming from a breach in 2010. 

Affinity had reported the breach after it was informed by CBS Evening News that confidential medical information was on the hard drive of a photocopier previously leased by Affinity.  Originally estimated at over 400,000 affected individuals, as reported by, OCR noted in its press release regarding the Resolution Agreement that up to 344,579 individuals were reported as potentially affected by the breach. 

CBS had purchased the copier along with three others as part of an investigatory report on digital photocopiers and identity theft.  As reported by CBS, wasn't until hitting "print" on the fourth machine - from Affinity Health Plan, a New York insurance company, that we obtained the most disturbing documents: 300 pages of individual medical records. They included everything from drug prescriptions, to blood test results, to a cancer diagnosis. A potentially serious breach of federal privacy law.

OCR stated in its press release that Affinity failed to erase the data contained on copier hard drives when it returned multiple copiers to leasing agents. In addition, the photocopiers were not addressed as part of Affinity's risk assessments or policies.  Director of OCR, Leon Rodriguez, stated,

This settlement illustrates an important reminder about equipment designed to retain electronic information: Make sure that all personal information is wiped from hardware before it's recycled, thrown away or sent back to a leasing agent...." 

As part of the Corrective Action Plan ("CAP"), Affinity must use "best efforts" to retrieve all photocopier hard drives that were previously leased and safeguard all ePHI maintained therein, within five days, certifying such to OCR in writing (and yes, these copiers may have been returned years ago).  Affinity is also required to conduct a risk analysis of risks and vulnerabilities to ePHI incorporating all electronic equipment and systems and develop a plan to address and mitigate any resulting riska and vulnerabilities that are identified.

I hardly need to point out that this resolution agreement is yet another scary reminder and lesson to all covered entities that electronic PHI (ePHI) needs to be disposed of and properly wiped wherever it may reside.  Although servers, desktops, laptops, and mobile devices immediately come to mind as potentially holding ePHI, many covered entities may still be unaware that most newer photocopiers are capable of saving a digital image of documents that are faxed, scanned or copied.  And many covered entities may also not be properly conducting HIPAA required security risk analyses/assessments for all other equipment which could maintain or transmit ePHI. 

To that end, I re-emphasize the following lessons that we've learned from Affinity and some of its companions on OCR's hotseat who have paid dearly as shining examples of how NOT to safeguard PHI and ePHI:

  • Address need for encryption for everything that has ePHI, from laptops to mobile devices and yes, even photocopiers
    • Idaho Hospice ($50K)
    • Providence Health ($100K)
    • Mass Eye/Ear ($1.5M)
    • Alaska DHSS ($1.7M)
  • Dispose of ePHI properly
    • CVS ($2.25M)
    • Rite Aid ($1M)
  • Do not remove PHI or ePHI from your facilities without assessing the risks and safeguarding it
    • Mass General ($1.5M)
  • Choose your Business Associates' wisely (and have written BAAs with them)
    • BCBS Tennessee ($1.5M)
    • Arizona Cardiologists ($100K)
  • Conduct COMPLETE risk assessments that address all ePHI no matter where it may be located (and update them as needed)
    • BCBS Tennessee ($1.5M)
    • Idaho State ($400K)
    • Arizona Cardiologists ($100K)
    • Wellpoint ($1.7M)
  • Have written policies (and actually implement them)
    • Rite Aid ($1M)
    • CVS ($2.25M)
    • Cignet Maryland ($4.3M)
    • Mass General ($1.5M)
    • Cignet Maryland ($4.3 million)

The full Press Release and Resolution Agreement with CAP can be found on OCR's website