The Office for Civil Rights’ (OCR) latest seven-figure fine for HIPAA violations resulted from a failure to remove protected health information or “PHI” from the hard drive of a leased photocopier. The $1,215,780 settlement with Affinity Health Plan, Inc., resulted from Affinity’s failure to erase the PHI of up to 344,579 individuals when it returned multiple photocopiers to a leasing agent. In the course of its investigation, OCR determined that Affinity failed to include data stored on photocopier hard drives within the protections of its HIPAA Security policies and procedures. In addition to the monetary settlement, OCR imposed a Resolution Agreement and Corrective Action Plan, under which Affinity must use its best efforts to retrieve additional photocopier hard drives from its leasing agent and secure any stored PHI. Affinity is required to document its best efforts and explain to OCR any failure to retrieve a hard drive.
This enforcement action provides important reminders for all regulated entities:
-
Computers and laptops are not the only devices with hard drives. Photocopiers, fax machines, notebooks and PDAs are all devices with internal storage drives where PHI can reside and must be protected.
-
A self-reported breach of unsecured PHI may prompt investigation. In this case, OCR’s investigation and the ensuing settlement resulted from Affinity’s own report of the breach, not by complaint or audit.
-
Large data breaches typically prompt larger fines.
-
Large fines are bad, but Corrective Action Plans can also be harsh – and expensive. Affinity’s Corrective Action Plan requires comprehensive follow up on a tight time-frame and with strict oversight by OCR. Affinity is responsible for its own expenses in implementing the plan.