The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) and Affinity Health Plan (AHP), Inc. reached a $1,215,780 HIPAA violation settlement for a data breach that dates back to 2010.
AHP, according to the HHS resolution agreement, “impermissibly disclosed the EPHI of up to 344,579 individuals when it failed to properly erase photocopier hard drives prior to sending the photocopiers to a leasing company.” Furthermore, HHS found that didn’t do a proper risk assessment for the protected health information (PHI) that was stored in the photocopier as required by the Security Rule. AHP also lacked implement policies and procedures for returning the hard drives to leasing agents and disposing of PHI.
A 2010 CBS Evening News report helped shed light on the exposed PHI inside photocopiers when CBS bought an Affinity-leased photocopier that contained PHI.
“This settlement illustrates an important reminder about equipment designed to retain electronic information: Make sure that all personal information is wiped from hardware before it’s recycled, thrown away or sent back to a leasing agent,” said OCR Director Leon Rodriguez said in today’s release. “HIPAA covered entities are required to undertake a careful risk analysis to understand the threats and vulnerabilities to individuals’ data, and have appropriate safeguards in place to protect this information.”
In addition to the $1,215,780 payment, the settlement includes a corrective action plan (CAP) requiring Affinity to use its best efforts to retrieve all hard drives that were contained on photocopiers previously leased by the plan that remain in the possession of the leasing agent, and to take certain measures to safeguard all ePHI. Caron Cullen, Senior Vice President and Compliance Officer of Compliance & Regulatory Affairs at Affinity, will be the point person for the CAP.
AHP agrees to the following:
1. Within five (5) days of the Effective date, AHP shall use its best efforts to retrieve all photocopier hard drives that were contained in photocopiers previously leased by AHP that remain in the possession of Canon Financial Services, and safeguard all EPHI contained therein from impermissible disclosure. If AHP cannot retrieve said hard drives, AHP shall provide OCR with documentation explaining its “best efforts” and the reason it was unable to retrieve said hard drives. If AHP retrieves said hard drives, AHP shall provide OCR written certification that it has completed the requirements specified in this paragraph. AHP’s compliance with this corrective action will be based on the Region’s review and approval of the documentation explaining why its efforts failed to retrieve the hard drives.
2. Within thirty (30) days of the Effective Date, AHP shall conduct a comprehensive risk analysis of the EPHI security risks and vulnerabilities that incorporates all electronic equipment and systems controlled, owned or leased by AHP. AHP shall also, within this time period develop a plan, to address and mitigate any security risks and vulnerabilities found in this analysis and, if necessary, revise its present policies and procedures. The plan and any revised policies and procedures shall be forwarded to OCR for its review consistent with paragraph 3 below.
3. OCR shall review and recommend changes to the plan and any revised policies and procedures specified in paragraph No. 2. Upon receiving OCR’s recommended changes, AHP shall have thirty calendar days to provide a revised plan and any revised policies and procedures to OCR for review and approval. AHP shall implement the plan and distribute and train staff members on any revised policies and procedures within thirty (30) calendar days of OCR’s approval.
AHP shall have 30 days from the date of receipt of the Notice of Breach and Intent to Impose CMP to demonstrate to HHS’ satisfaction that:
1. AHP is in compliance with the obligations of the CAP cited by HHS as being the basis for the breach;
2. The alleged breach has been cured; or
3. The alleged breach cannot be cured within the 30-day period, but that:
(i) AHP has begun to take action to cure the breach;
(ii) AHP is pursuing such action with due diligence; and
(iii)AHP has provided to HHS a reasonable timetable for curing the breach
The interesting thing about this agreement is obviously the time elapsed between when the breach occurred, CBS reported it and the resolution was put into place. Three and a half years is a long time and $1.25 million is a stiff penalty, so any sort of fallout will be worth watching.