HIPAA Security breaches often involve computers, emails, and servers. However, a recent breach involved photocopiers, resulting in a $1.2 million resolution agreement. Affinity Health Plan’s violation was discovered by the HHS Office for Civil Rights (OCR).
The health plan failed to make sure the data was erased from the photocopier’s hard drives before switching the leased copiers. As a result, over 340,000 participants’ protected health information was disclosed.
Most photocopiers built within the last decade contain hard drives that allow the copier to scan, fax, and store various documents. The hard drives also store the images of the documents scanned, however, most people don’t consider photocopiers to have long-term memories.
During its risk analysis, the Affinity Health Plan failed to consider this potential security threat. Meanwhile, the HIPAA Security Rule requires healthcare providers to account for this possibility during risk analysis.
In addition, the health plan failed to carry out an EPHI disposal policy. The OCR’s resolution agreement doesn’t include evidential proof that the PHI was disclosed past the leasing agent for the copiers. In fact, the health plan would most likely be able to retrieve the data within five days.
This settlement should provide an important reminder for healthcare organizations: most photocopiers store electronic information. It’s important to add safeguards to wipe all copiers clean before leaving the premises.
Often, photocopiers are re-leased or sold with the previous users’ data on the hard drive, leaving significant potential for disclosure of protected information. Healthcare providers will be held liable if protected health information is disclosed.
To avoid liability, healthcare providers must implement programs to deal with retiring copiers when they reach the end of their useful life or lease. The first step should involve discussing the potential risk with your IT provider. Make sure your IT department is involved in selecting, installing, and retiring copiers. When the time comes, an IT professional should make sure the hard drive is wiped of all data.
Looking for an IT company who understands HIPAA/HITECH? Veltec Networks has experience working with medical organizations across San Jose. Call us at (408) 849-4441 or email us at info@veltecnetworks.com and have our medical IT services team working for you.