$1.2M HIPAA Settlement Results From Improper Copier Disposal

Be careful when repurposing or disposing of copiers and other equipment and media that may contain protected health information.  That’s the message the Office of Civil Rights is sending health care providers, health plans, health care clearinghouses (Covered Entities) and their business associates in its August 14, 2013 announcement of a $1.2 million plus settlement agreement with Affinity Health Plan, Inc. (Affinity) under the Health Insurance Portability & Accountability Act Privacy and Security Rules.

According to OCR, the non-profit New York area managed care plan Affinity will pay $1,215,780 and take other corrective actions to settle alleged HIPAA violations under the Affinity Resolution Agreement and CAP (Affinity Settlement).  The settlement comes as the September 24, 2013 deadline for health plans, health care providers, health care clearinghouses (Covered Entities) and their business associates to update the written business associate agreements that HIPAA requires exist before business associates can be allowed to create, use, access or disclose personally identifiable health care information protected by HIPAA (PHI) to carry out HIPAA-covered functions on behalf of a Covered Entity to comply with changes to HIPAA’s implementing regulations adopted by OCR earlier this year.  Health plans and other Covered Entities should take timely action to confirm that their existing procedures appropriate safeguards to protect PHI when using or disposing of copiers or other equipment or media as well as to implement business associate or other policy, procedures or training updates required to comply with the updated HIPAA rules.

HIPAA Updates Require Breach Notification, Tightened Other HIPAA Requirements

HIPAA generally requires that Covered Entities (and after September 24, 2013, their business associates) safeguard and restrict the use, access or disclosure of PHI as required by HIPAA.  The HITECH Act amended these requirements to tighten certain of these requirements and restrictions, to expand the sanctions for violation of these requirements, to require Covered Entities and their business associates to provide notification of breaches of unsecured PHI to individuals whose information was breached, OCR and in some cases, the media, and made certain other changes to the original requirements of HIPAA.  Earlier this year, OCR amended and restated its original Privacy and Security Rules here (2013 Final Rule) to comply with changes in the regulations resulting from these HITECH Act amendments beginning last March, but set the deadline for updating business associate agreements to meet these updated requirements at September 23, 2013.

The 2013 Final Rule and other OCR guidance makes clear that OCR expects Covered Entities and their business associates appropriately to safeguard PHI stored in computers, hard drives, and other digital media until it is properly disposed in accordance with the updated standards required by HIPAA as implemented under the 2013 Final Rule. HITECH Breach Notification Rule requires HIPAA-covered entities to notify HHS of a breach of unsecured protected health information, including breaches resulting from failure to properly secure PHI stored in digital format until it has been destroyed in accordance with the standards established by the 2013 Final Rule.   OCR previously has sanctioned other Covered Entities for failed to properly destroy or safeguard PHI stored in digital format on computer or other equipment before abandoning or disposing of that equipment.  The Affinity Settlement reaffirms OCR’s concern that Covered Entities meet these disposal requirements when replacing or abandoning equipment containing electronic PHI.

Affinity Settlement Highlights

According to the August 14, 2013 OCR announcement of the settlement, the settlement resulted from an investigation initiated after Affinity filed a breach report with OCR on April 15, 2010, as required by the Health Information Technology for Economic and Clinical Health Act (HITECH Act.)

In its breach report, Affinity indicated that it was informed by a representative of CBS Evening News that, as part of an investigatory report, CBS had purchased a photocopier previously leased by Affinity.  CBS informed Affinity that the copier that Affinity had used contained confidential medical information on the hard drive.

Affinity estimated in its breach report that up to 344,579 individuals may have been affected by this breach. OCR’s investigation indicated that Affinity impermissibly disclosed the protected health information of these affected individuals when it returned multiple photocopiers to leasing agents without erasing the data contained on the copier hard drives.  In addition, OCR reports its investigation revealed that Affinity failed to incorporate the electronic protected health information (ePHI) stored on photocopier hard drives in its analysis of risks and vulnerabilities as required by the Security Rule, and failed to implement policies and procedures when returning the photocopiers to its leasing agents.

In addition to the $1,215,780 payment, the Affinity Settlement includes a corrective action plan requiring Affinity to use its best efforts to retrieve all hard drives that were contained on photocopiers previously leased by the plan that remain in the possession of the leasing agent, and to take certain measures to safeguard all ePHI.

Learn From Affinity Lesson On Proper Disposal Procedures

Like prior OCR settlements stemming from inadequate security for PHI when transitioning equipment, media or facilities, the Affinity Settlement sends another reminder to Covered Entities and their business associates again of the importance of using appropriate procedures to protect or dispose of PHI when replacing or redeploying equipment or media that may contain PHI.

“This settlement illustrates an important reminder about equipment designed to retain electronic information: Make sure that all personal information is wiped from hardware before it’s recycled, thrown away or sent back to a leasing agent,” said OCR Director Leon Rodriguez.  “HIPAA covered entities are required to undertake a careful risk analysis to understand the threats and vulnerabilities to individuals’ data, and have appropriate safeguards in place to protect this information.”

OCR has published guidance concerning HIPAA’s requirements for the proper safeguarding and disposal of media and equipment in the 2013 Final Rule and other guidance.  Concerning the proper disposition of copiers that may have PHI stored on their hard drives or in other digital formal, OCR in the Affinity Settlement recommended that Covered Entities and their associates also review the Federal Trade Commission’s Guidance On Safeguarding Sensitive Data Stored In The Hard Drives Of Digital Copiers and the National Institute of Standards and Technology has issued Guidance On Assessing The Security Of Multipurpose Office Machines.  Covered Entities and their business associates should use this and other guidance to ensure that they can demonstrate that appropriate practices and procedures have been used to when disposing of or repurposing copies or other equipment that may contain electronic PHI.

HIPAA Regulation Updates Require Other Updates Beyond Disposal Procedures

In addition to addressing the concerns that lead to the Affinity Settlement, Covered Entities and their business associates also should verify that their practices, policies, privacy notices, business associate agreements, and training also are updated to comply with updates to the updated 2013 Final Rule adopted by OCR earlier this year here.

Since passage of the HITECH Act, OCR officials have warned Covered Entities to expect an omnibus restatement of its original regulations.  While OCR had issued certain regulations implementing some of the HITECH Act changes, it waited to publish certain regulations necessary to implement other HITECH Act changes until it could complete a more comprehensive restatement of its previously published HIPAA regulations to reflect both the HITECH Act amendments and other refinements to  its HIPAA Rules. The 2013 Regulations published today fulfill  that promise by restating OCR’s HIPAA Regulations to reflect the HITECH Act Amendments and other changes and clarifications to OCR’s interpretation and enforcement of HIPAA.

In response to the updated Final Regulations and these expanding HIPAA enforcement and exposures, all Covered Entities should review critically and carefully the adequacy of their current HIPAA Privacy and Security compliance policies, monitoring, training, breach notification and other practices taking into consideration OCR’s investigation and enforcement actions, emerging litigation and other enforcement data; their own and reports of other security and privacy breaches and near misses; and other developments to decide if additional steps are necessary or advisable.   In response to these expanding exposures, all covered entities and their business associates should review critically and carefully the adequacy of their current HIPAA Privacy and Security compliance policies, monitoring, training, breach notification and other practices taking into consideration OCR’s investigation and enforcement actions, emerging litigation and other enforcement data; their own and reports of other security and privacy breaches and near misses, and other developments to decide if tightening their policies, practices, documentation or training is necessary or advisable.

For More Information Or Assistance

If you need assistance responding to HIPAA or other health industry regulatory, enforcement or other developments, reviewing or tightening your policies and procedures, conducting training or audits, responding to or defending an investigation or other enforcement action or with other health care related risk management, compliance, training, enforcement or management concerns, the author of this update, attorney Cynthia Marcotte Stamer, may be able to help. Vice President of the North Texas Health Care Compliance Professionals Association, Past Chair of the ABA Health Law Section Managed Care & Insurance Section and the former Board Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer has more than 25 years experience advising health industry clients about these and other matters. Her experience includes extensive work advising, representing and training health industry and other clients on HIPAA and other privacy, data protection and breach and other related matters.  She also advises hospitals, nursing home, home health, rehabilitation and other health care providers and health industry clients to establish and administer compliance and risk management policies; prevent, conduct and investigate, and respond to peer review and other quality concerns; and to respond to Board of Medicine, Department of Aging & Disability, Drug Enforcement Agency, OCR Privacy and Civil Rights, HHS, DOD and other health care industry investigation, enforcement and other compliance, public policy, regulatory, staffing, and other operations and risk management concerns. A popular lecturer and widely published author on health industry concerns, Ms. Stamer continuously advises health industry clients about compliance and internal controls, workforce and medical staff performance, quality, governance, reimbursement, and other risk management and operational matters. Ms. Stamer also publishes and speaks extensively on health and managed care industry regulatory, staffing and human resources, compensation and benefits, technology, public policy, reimbursement and other operations and risk management concerns. Scribe for the ABA JCEB annual Technical Sessions meeting with OCR for the past three years, Ms. Stamer also is recognized for her extensive publications and programs including numerous highly regarding publications and programs on HIPAA and other privacy and data security concerns as well as a wide range of other workshops, programs and publications on other compliance, operational and risk management, and other health industry matters. Her insights on these and other related matters appear in the Health Care Compliance Association, Atlantic Information Service, Bureau of National Affairs, World At Work, The Wall Street Journal, Business Insurance, the Dallas Morning News, Modern Health Care, Managed Healthcare, Health Leaders, and a many other national and local publications.  You can get more information about her health industry experience here. If you need assistance responding to concerns about the matters discussed in this publication or other health care concerns, wish to obtain information about arranging for training or presentations by Ms. Stamer, wish to suggest a topic for a future program or update, or wish to request other information or materials, please contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here. If you or someone else you know would like to receive future updates about developments on these and other concerns from Ms. Stamer, see  here.

About Solutions Law Press

Solutions Law Press™ provides business risk management, legal compliance, management effectiveness and other resources, training and education on human resources, employee benefits, compensation, data security and privacy, health care, insurance, and other key compliance, risk management, internal controls and other key operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press resources including:

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail – by creating or updating your profile here. For important information concerning this communication click here.  THE FOLLOWING DISCLAIMER IS INCLUDED TO COMPLY WITH AND IN RESPONSE TO U.S. TREASURY DEPARTMENT CIRCULAR 230 REGULATIONS.  ANY STATEMENTS CONTAINED HEREIN ARE NOT INTENDED OR WRITTEN BY THE WRITER TO BE USED, AND NOTHING CONTAINED HEREIN CAN BE USED BY YOU OR ANY OTHER PERSON, FOR THE PURPOSE OF (1) AVOIDING PENALTIES THAT MAY BE IMPOSED UNDER FEDERAL TAX LAW, OR (2) PROMOTING, MARKETING OR RECOMMENDING TO ANOTHER PARTY ANY TAX-RELATED TRANSACTION OR MATTER ADDRESSED HEREIN.  

©2013 Cynthia Marcotte Stamer, P.C.  Non-exclusive license to republish granted to Solutions Law Press.  All other rights reserved.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: