We encrypt laptops and cell phones. We get business associate agreements to make sure our vendors protect our patient’s confidentiality. We have data breach policies in place. That’s already a load.
There’s always something else to do.
On August 14, 2013, Dept. Health and Human Services settled with Affinity Health Plan, a non-profit managed care entity to the tune of $1.2 million dollars. Affinity leased copiers from a third party – and presumably returned these copies to the leasing entity when the contract expired.
Affinity indicated that it was informed by a representative of CBS Evening News that, as part of an investigatory report, CBS had purchased a photocopier previously leased by Affinity. CBS informed Affinity that the copier that Affinity had used contained confidential medical information on the hard drive.
Affinity estimated that up to 344,579 individuals may have been affected by this breach. [Office of Civil Rights’] investigation indicated that Affinity impermissibly disclosed the protected health information of these affected individuals when it returned multiple photocopiers to leasing agents without erasing the data contained on the copier hard drives. In addition, the investigation revealed that Affinity failed to incorporate the electronic protected health information (ePHI) stored on photocopier hard drives in its analysis of risks and vulnerabilities as required by the Security Rule, and failed to implement policies and procedures when returning the photocopiers to its leasing agents.
The take-home message: Make sure hard-drives on devices (such as copiers, faxes, scanners) are wiped when returned or retired. Or make sure the leasing entities have business associate agreements in place and that they agree to perform this function when the devices ar
I was surprised some months back to find that there are hard drives on photocopiers in the first place. So, apparently, was the military–some copiers had been resold to folks who benefited from the information they contained. As for liability, I’m not sure that it was generally known that any information was retained on the copiers, so the breach could arguably be blamed on the companies that manufactured them, not on the users.
Analogy: imagine an auto that makes and keeps an audio record of everything that’s said inside the car, but this is known only to the manufacturer, or is put in fine print somewhere in the user’s manual, maybe buried somewhere in the specifications section. I discuss a patient with you while we’re driving to dinner.
I trade the car in a few years later, and an HHS employee buys it as a used car. He knows about this, so he decides to indulge his vicariousness and listens to the recordings. He stumbles on our discussion of the patient. Who is at fault for the breach? I reasonably expected that conversations within the car were private. And recording it actually was illegal,since it was tantamount to a non-sanctioned wiretap.
Maybe Affinity should be playing third party defendant with Xerox or Sanyo.
Sounds like CBS news decided to call the HIPPA-police instead of Affinity. I wouldn’t know how to scrub the drives on my copier, but I’m sure the Copy Shop would. Glad to have this information. 🙂
Eric
A similar news story broke out a few years ago informing the public that info was kept on hard drives on copiers. However, this breach takes on a whole new level of a compliance concern when HIPAA gets involved. Thanks for the story!