Wednesday, September 4, 2013

PHI May Be In More Places Than You Think

A recent HIPAA settlement serves as an important reminder that protected health information may be stored on “ordinary” office equipment such as printers, photocopiers, scanners and fax machines, and not just on computer hard drives.  On August 14, 2013, the Department of Health and Human Services announced a settlement with the not-for-profit managed care plan Affinity Health Plan, Inc. for over $1.2 million in connection with HIPAA Privacy and Security breaches stemming from PHI stored on a photocopier hard drive.

In 2010, Affinity notified HHS of a security breach after company representatives heard about it on the news.  Apparently, CBS Evening News informed the entity that, as part of an investigative report, CBS had purchased a photocopier previously leased by Affinity and found confidential medical information on the photocopier’s hard drive.  Affinity’s breach disclosure led to an HHS investigation that revealed Affinity failed to assess the potential security risks from PHI stored on the copier hard drive and to implement policies for disposing of the PHI before returning the copier to the office equipment leasing company.  It is estimated that up to 344,579 individuals have been affected by the breach.