Wednesday, September 4, 2013
PHI May Be In More Places Than You Think
In 2010, Affinity notified HHS of a security breach after company representatives heard about it on the news. Apparently, CBS Evening News informed the entity that, as part of an investigative report, CBS had purchased a photocopier previously leased by Affinity and found confidential medical information on the photocopier’s hard drive. Affinity’s breach disclosure led to an HHS investigation that revealed Affinity failed to assess the potential security risks from PHI stored on the copier hard drive and to implement policies for disposing of the PHI before returning the copier to the office equipment leasing company. It is estimated that up to 344,579 individuals have been affected by the breach.
The settlement agreement includes a corrective action plan which requires Affinity to use its “best efforts to retrieve all photocopier hard drives that were contained in photocopiers previously leased by Affinity that remain in the possession of [the leasing agent].”
HIPAA covered entities and business associates can learn a valuable lesson from the Affinity settlement and include PHI stored on office equipment hard drives when performing a required HIPAA risk assessment. PHI stored on office equipment hard drives is easy to overlook because such equipment is not used for data storage, but that data must be removed before office equipment is returned or thrown away.
The HIPAA Auditor Cometh – Again
Now is a great time for HIPAA covered entities and business associates to update their HIPAA risk assessments and to review privacy and security policies and procedures with staff members. HHS is expected to resume the HIPAA compliance audit program after October 1, 2013, with the audit program covering a larger number and broader range of organizations than the 2012 audit program that looked at 115 large and small covered entities.
Clay B. Wortham
McBrayer, McGinnis, Leslie & Kirkland, PLLC