The Department of Health and Human Services Office for Civil Rights (HHS OCR) today announced its 4th resolution agreement of 2013.  Affinity Health Plan, Inc., a not-for-profit managed care plan serving the New York metropolitan area, has agreed to settle potential violations of the HIPAA Privacy and Security Rules for $1,215,780.  The resolution agreement relates to Affinity’s April 15, 2010 report to OCR of an incident where Affinity was contacted by a representative of CBS Evening News, regarding an investigatory report, that CBS had purchased a photocopier previously leased by Affinity, which contained confidential medical information on the hard drive for approximately 344,579 individuals. 

On May 19, 2010, in response to Affinity’s report, OCR initiated its investigation into Affinity’s compliance with the Privacy, Security, and Breach Notification Rules.  OCR’s investigation indicated the following:

  • Affinity impermissibly disclosed ePHI when it failed to properly erase photocopier hard drives prior to sending the photocopiers to a leasing company;
  • Affinity failed to assess and identify the security risks and vulnerabilities of ePHI stored in the photocopier hard drives; and
  • Affinity failed to implements its policies for the disposal of ePHI with respect to the photocopier hard drives. 

In addition to the settlement amount, Affinity agreed to a 120-day corrective action plan which includes: 

  • Affinity using best efforts to retrieve all photocopier hard drives that were contained in photocopiers previously leased by Affinity that remain in the possession of the leasing agent, and safeguarding all ePHI contained therein from impermissible disclosure.  Affinity must either provide documentation of best efforts or provide written certification that it has completed this requirement. 
  • Affinity conducting a comprehensive risk analysis of the ePHI security risks and vulnerabilities, which includes all electronic equipment and systems controlled, owned, or leased by Affinity.  This risk analysis must be provided to OCR for review and recommended changes before implementation and training of Affinity staff. 

Directly addressed in HHS’ press release regarding the Affinity settlement, HHS advises covered entities to be cognizant of the importance of safeguarding sensitive data, referring to FTC guidance, NIST guidance, and OCR training.  Sensitive data can be stored on devices beyond just laptops, thumb drives, and external hard drives.  As part of your periodic risk anlaysis, consider what other devices or equipment may be storing ePHI that have not been previously considered.  With enforcement of the Final Rule beginning on September 23, 2013, as previously discussed on the Data Privacy Monitor, liability for potential HIPAA violations such as the above will also extend directly to business associates that receive or store PHI.