If your practice leases photocopy machines, you need to be aware that a copier hard drive may contain your patients’ protected health information (“PHI”). It is imperative that practices recognize that a photocopier stores electronic PHI, and not unwittingly upgrade photocopier machine without first clearing the hard drive of all protected health information.
Affinity Health Plan, Inc. had to learn this lesson the hard way, and it was a lesson that many other practices should heed. The U.S. Department for Health & Human Service, Office of Civil Rights’, “investigation indicated that Affinity impermissibly disclosed the protected health information of up to 344,579 individuals when it returned multiple photocopiers to a leasing agent without erasing the data contained on the copier hard drives. In addition, the investigation revealed that Affinity failed to incorporate the electronic protected health information stored in copier’s hard drives in its analysis of risks and vulnerabilities as required by the Security Rule, and failed to implement policies and procedures when returning the hard drives to its leasing agents.” The full synopsis, Resolution Agreement, and press release can be read here.
Affinity Health Plan, Inc. learned the hard way. Not only did it harm its reputation, but it also had to pay HHS $1,215,780.00 for its data breach. Healthcare providers must be extremely cautious with regard to ePHI and must be steadfast in safeguarding PHI. Otherwise, you may face disastrous penalties.
Tell us how you prepared for the HITECH Act and Final Rule to avoid breaches? Share your ideas with us by clicking on the comment button below. We’d love to hear from you.
Get “News You Can Use” delivered directly to your e-mail inbox. Click here to Subscribe.