Photocopier Misuse Triggers $1.2 Million Dollar Fine for Affinity Health

A HIPAA fine of $1,215,780 has been assessed against Affinity Health Plan,  a not-for-profit managed care plan serving the New York metropolitan area.  The Settlement was announced on August 14, 2013 at 11 pm.

This is the first settlement involving a copier.  Affinity Health Plan had a copier that they returned to the vendor, and it was re-sold to CBS Evening News, without erasing all the files that the printer had stored for year.

CBS News found that the hard drive of the used copier contained health records of The new copier owner found the files and it was determined that over 344,579 individuals had their Protected Health Information exposed by the Breach, which was initially reported in April of 2010.

Affinity impermissibly disclosed the protected health information of these affected individuals when it returned multiple photocopiers to leasing agents without erasing the data contained on the copier hard drives.  In addition, the investigation revealed that Affinity failed to incorporate the electronic protected health information (ePHI) stored on photocopier hard drives in its analysis of risks and vulnerabilities as required by the Security Rule, and failed to implement policies and procedures when returning the photocopiers to its leasing agents.

In addition to the $1,215,780 payment, the settlement includes a corrective action plan requiring Affinity to use its best efforts to retrieve all hard drives that were contained on photocopiers previously leased by the plan that remain in the possession of the leasing agent, and to take certain measures to safeguard all ePHI.

The settlement included violations of both the HIPAA Privacy and HIPAA Security Rule.  Increases in audits and, subsequently, fines at other healthcare organizations are expected to increase after the new HIPAA Omnibus Rule goes into effect on September 23, 2013.

To read the entire Department of Health and Human Servies (HHS)  Resolution Agreement and Corrective Action Plan can be found on the OCR website at http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/affinity-agreement.html.