Legal Alert: $1.2M Settlement for HIPAA Breach Based on Photocopier Storage of PHI
On August 14, 2013, the U.S. Department of Health and Human Services (HHS) announced an agreement with Affinity Health Plan, Inc. (Affinity) to settle potential HIPAA violations whereby Affinity will pay HHS $1,215,780.
The case arose from Affinity’s failure to “wipe” the memories of its leased photocopiers when surrendering the copiers at the end of their lease terms. The Columbia Broadcasting System later bought one of these copiers and, upon discovering patient protected health information (PHI) in the copier’s memory, alerted Affinity. Affinity then reported the breach to HHS as required by HIPAA, estimating that as many as 344,579 individuals may have been affected by the breach.
HHS took Affinity to task for the breach itself, and for Affinity’s failure to recognize that photocopiers could be the source of an unauthorized disclosure of PHI and to adopt policies to mitigate the risk.
In order to avoid capital costs and to remain current with technology, many health care providers lease photocopiers from third parties and elect to return them rather than purchase them at the expiration of the lease term. Today’s copiers are essentially computers, and are often used in a network environment for printing, scanning and faxing, as well as copying. They are capable of storing thousands of images. Providers need to understand how these machines can put their practices at substantial risk.
The Affinity case was based on breaches occurring following lease expiration. However, while in provider custody, copiers are regularly serviced by third parties whose personnel may be able to access copier memory while performing maintenance and repairs. Providers should assure that their service contracts contain “Business Associate Agreement” clauses, permitting access to PHI in the course of maintenance and repair but restricting the use or disclosure of PHI except as needed to perform contractual obligations. Further, providers should know how to erase the memories of these machines before they are surrendered at lease expiration, and document the responsibility for assuring that this is done.
Modern fax machines function in much the same way as photocopiers, in that they store images before transmitting them. Similar precautions should be taken with respect to these devices.
As always, if you have any questions, please feel free to contact us here or call us at 585.258.2800.