Photocopiers seen as HIPAA risk after $1.2 million payout
Of all things, now you have to worry about photocopiers. A health plan recently agreed to pay $1.2 million for breaching the Health Insurance Portability & Accountability Act (HIPAA) by leaving protected health information (PHI) on the hard disk of a photocopier it sent back after leasing it. The Department of Health and Human Services (HHS) is warning providers that such breaches are more likely than you might have imagined.
Affinity Health Plan will settle potential violations of HIPAA for $1.2 million, HHS reported recently. Affinity Health Plan is a not-for-profit managed care plan serving the New York metropolitan area. (See the story on p. 118 for more details on how the breach was detected.)
Office of Civil Rights (OCR) Director Leon Rodriguez said in his announcement that the settlement illustrates an important reminder about equipment designed to retain electronic information. "Make sure that all personal information is wiped from hardware before it’s recycled, thrown away, or sent back to a leasing agent," he said "HIPAA-covered entities are required to undertake a careful risk analysis to understand the threats and vulnerabilities to individuals’ data and have appropriate safeguards in place to protect this information."
In addition to the $1.2 million payment, the settlement includes a corrective action plan requiring Affinity to use its best efforts to retrieve all hard drives that were contained on photocopiers previously leased by the plan that remain in the possession of the leasing agent and to take certain measures to safeguard all PHI. (For more information on safeguarding sensitive data stored in the hard drives of digital copiers, go to http://1.usa.gov/15q6Jmf.)
Easy to overlook photocopiers
The Affinity settlement is a reminder that PHI can show up in unexpected places, says Dianne J. Borque, JD, an attorney with Mintz Levin in Boston. Most people would not immediately think of a photocopier as storing PHI because we think of the machines as merely copying an original, Borque notes. But today’s photocopiers aren’t like those of a generation ago that needed you to remember only to take your original off the glass before leaving.
"Computers and laptops are not the only devices with hard drives," Borque says. "Photocopiers, fax machines, notebooks and PDAs [personal digital assistants] are all devices with internal storage drives where PHI can reside and must be protected."
She notes that the fine might not even be the worst result for Affinity. "Large fines are bad, but corrective action plans can also be harsh — and expensive," Borque says. "Affinity’s corrective action plan requires comprehensive follow-up on a tight timeframe and with strict oversight by OCR. Affinity is responsible for its own expenses in implementation."
Part of Affinity’s corrective action plan is track down all the other hard drives they forgot to wipe. Borque notes that, hearing of this settlement, a lot of other hospitals might be doing the same backtracking. (See the story on p. 118 for more on what do about that problem.) "This settlement is a teachable moment. You can send a reminder that someone got in a heap of trouble because they forgot to wipe the data on a photocopier," Borque says. "You’ll get a lot of people saying they never even thought of that risk."
The OCR sent a clear message to the healthcare industry, says Joseph S. Abrenio, JD, partner with the law firm of LeClairRyan in Alexandria, VA. Abrenio notes that the Federal Trade Commission (FTC), along with the National Institute of Standards and Technology, offers covered entities advice and guidance on how to properly secure and destroy electronic PHI from photocopier hard drives. "Most importantly, photocopiers should be maintained and monitored by appropriately trained IT staff," Abrenio says. "Secondly, data protection technology, such as encryption and data overwriting software, should be used to ensure the security and, when necessary, the destruction of PHI. Finally, a covered entity should have written policies and procedures related to the use and disposal of photocopiers."
Technological safeguards are covered largely by the security rule, one part of HIPAA that can go overlooked and lead to breaches such as this one, attorneys say. The security rule requires appropriate administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and security of electronic PHI. (See the story on p. 118 for more information on the security rule.)
The settlement should prompt risk managers to pay a visit to their security officer and discuss the serious ramifications of such an oversight, says James A. Hoover, JD, partner with the law firm of Burr & Forman in Birmingham, AL.
"Ask what your organization has done in this area. Do you have procedures in place to scrub these hard drives before you return equipment to the leasing company? Do you have an inventory of the hard drives that could contain PHI?" he asks. "If you don’t have those policies and procedures, you need to develop them pretty quickly."
- Joseph S. Abrenio, JD, Partner, LeClairRyan, Alexandria, VA. Telephone: (703) 647-5936. Email: email@example.com.
- Dianne J. Borque, JD, Member, Mintz Levin, Boston. Telephone: (617) 348-1614. Email: firstname.lastname@example.org.
- James A. Hoover, JD, Partner, Burr & Forman, Birmingham, AL. Telephone: (205) 458-5111. Email: email@example.com.
Affinity reported its breach after media tip
Officials at Affinity Health in New York had no idea they had lost protected health information (PHI) until they were notified by a news outlet. But then they reported the breach to federal investigators.
Affinity Health Plan will settle potential violations of the Health Insurance Portability & Accountability Act (HIPAA) for $1.2 million. Affinity filed a breach report with the Health and Human Services Office for Civil Rights (OCR) on April 15, 2010, as required by the Health Information Technology for Economic and Clinical Health (HITECH) Act. The HITECH Breach Notification Rule requires HIPAA-covered entities to notify HHS of a breach of unsecured PHI.
Affinity indicated that it was informed by a representative of CBS Evening News that, as part of an investigatory report, CBS had purchased a photocopier previously leased by Affinity. CBS informed Affinity that the copier that Affinity had used contained confidential medical information on the hard drive.
The health provider estimated that up to 344,579 individuals might have been affected by this breach. OCR's investigation indicated that Affinity impermissibly disclosed the PHI of these affected individuals when it returned multiple photocopiers to leasing agents without erasing the data contained on the copier hard drives.
In addition, the investigation revealed that Affinity failed to incorporate the electronic PHI stored on photocopier hard drives in its analysis of risks and vulnerabilities as required by the Security Rule, and it failed to implement policies and procedures when returning the photocopiers to its leasing agents.
OMG! How many of our hard drives are out there?
The news of Affinity Health Plan in New York paying a big fine for sending a leased photocopier back without wiping the protected health information (PHI) from its hard drive may have risk managers wondering if their facility has done the same thing. How many hard drives on photocopiers or other equipment did you let loose in past years with sensitive data?
Leased or sold equipment is not the only problem, notes Dianne J. Borque, JD, an attorney with Mintz Levin in Boston. If you are part of a large entity such as a university that has portions covered by the Health Insurance Portability & Accountability Act (HIPAA) and some not, simply moving a photocopier or a fax machine to another office down the hall could be a breach if you don't wipe PHI.
If you are unsure about the status of hard drives that have been sent outside your facility, you already have a problem, Borque says.
"At that point you would have a suspected security incident, and you would need to follow up on that like any security incident at your organization. You have to do due diligence and try to track them down," she says. "If the machines were leased, you have to go to the vendor, and to the new user of that equipment, and hope everyone cooperates with you. If there was a breach, you'll have to decide about disclosing. If you can't find them, you need to document that you made a genuine effort."
Security rule can get short shrift
So much compliance is involved with the Health Insurance Portability & Accountability Act (HIPAA) that it is no surprise some facets get less attention than others. Unfortunately, the security rule is sometimes the part that doesn't get enough attention, says Matthew L. Kinley, JD, partner with the law firm of Tredway Lumsdaine & Doyle in Los Angeles.
The settlement by Affinity Health in New York shows the risk of that oversight, he says.
"The security rule says it's not just a matter of having secure systems from IT. It's a process of going through and evaluating where PHI may be lost," Kinley says. "I get the feeling that the fine for Affinity might have been a lot less if they had actually sat down and thought about where PHI might be. It's really just a matter of brainstorming where you might have PHI and then what you should do to keep it from getting out in the world."
Keeping the PHI from escaping might be an IT issue, Kinley says, but identifying all the potential sources of PHI is not. "If they had done that and still hadn't realized that photocopier was out there with PHI, they could have shown that they made the effort, that they were trying to comply with the rule," Kinley says. "I think that could have made a difference in how OCR [Office of Civil Rights] reacted."
The case is a reminder to take an inventory of all the places PHI might reside in your organization, says Melissa K. Bianchi, JD, partner with the law firm of Hogan Lovells in Washington, DC.
"It's the first step in a risk assessment, but it's easy to focus on the obvious answers and then move on to the next step," Bianchi says. "Everyone is going to say laptops and desktop computers, and maybe phones, but the possibilities are so much broader than that. It would help to involve someone in the process who is very tech savvy and can bring up devices that you never imagined might capture PHI in their daily use."
- Melissa K. Bianchi, JD, Partner, Hogan Lovells, Washington, DC. Telephone: (202) 637-3653. Email: Melissa.bianchi@
- Matthew L. Kinley, JD, Partner, Tredway Lumsdaine & Doyle, Los Angeles. Telephone: (877) 923-0971.