Affinity Health Plan to Pay $1.2 Million+ for HIPAA Violations
The HHS Office for Civil Rights on August 14 sent the industry a message on the importance of erasing protected health information on hardware being sold, recycled or returned.
HHS announced that Affinity Health Plan, serving metropolitan New York, has settled allegations of HIPAA violations and will pay a $1,215,780 fine, after a photocopier it previously leased was sold to television network CBS. The CBS Evening News, as part of an investigation, found that the copier had protected health information on the hard drive. Affinity estimated that the breach affected 344,579 individuals.
“OCR’s investigation indicated that Affinity impermissibly disclosed the protected health information of these affected individuals when it returned multiple photocopiers to leasing agents without erasing the data contained on the copier hard drives,” according to the OCR announcement. “In addition, the investigation revealed that Affinity failed to incorporate the electronic protected information stored on photocopier hard drives in its analysis of risks and vulnerabilities as required by the Security Rule, and failed to implement policies and procedures when returning the photocopiers to its leasing agents.”
Among requirements in the correction action plan, Affinity will use “best efforts” to retrieve all hard drives that were contained on photocopiers it previously leased that remain possession of the leasing agent, and to take additional measures to safeguard electronic protected health information. The resolution agreement between OCR and Affinity is available here.