Law360, New York (September 26, 2013, 5:53 PM ET) –
The U.S.Department of Health and Human Services‘ Office for Civil Rights (OCR) is stepping up their enforcement efforts and cracking down on entities who violate the Health Insurance Portability and Accountability Act of 1996. Earlier this year, Idaho State University was fined $400,000 for the breach of unsecured protected health information (PHI) regarding 17,500 individuals who were patients at a university clinic.
In July, managed care company WellPoint Inc. agreed to pay the HHS $1.7 million to settle potential violations of the HIPAA privacy and security rules. The most recent settlement involves Affinity Health Plan Inc., a not-for-profit managed care plan serving the New York metropolitan area. Affinity agreed to pay over $1.2 million as part of the settlement with the OCR for a security breach involving leased copiers, even though it was not clear that any PHI was actually misused or retained as a result of the breach.
Affinity notified the OCR of a potential breach on April 15, 2010, after discovering that copiers it had leased and then returned still contained electronic PHI (ePHI). Often overlooked, advanced copiers, such as those used by Affinity, can contain hard drives where digital images of the documents being copied are stored before they are printed. Depending on the size of the hard drives and the volume of documents being scanned, these hard drives can store thousands of images. Unless the hard drive is wiped, the images remain on the copier until the drive is full, and new data overwrites the old.
At the end of Affinity’s lease, the copiers were returned and then leased again to a different company. At least one recipient of the leased equipment — CBS Evening News —discovered ePHI on the copiers. CBS Evening News reported this to Affinity, who in turn reported the incident to the OCR.
Presumably, CBS Evening News recognized the sensitive nature of the information and did not retain or further disclose the information. However, the risk of compromise was relatively high — Affinity had returned multiple photocopiers to its leasing agents that together contained information on as many as 344,579 individuals.
After an investigation, the OCR concluded that Affinity impermissibly disclosed the ePHI of these individuals when it returned the photocopiers to the leasing agents without erasing data contained on the copier hard drives. However, this finding alone does not explain the high settlement amount.
What does explain the substantial penalty is a circumstance that regularly appears in reports of high-dollar settlements under HIPAA: Affinity did not base its policies and procedures on a thorough risk assessment, as required by the security rule, and therefore, Affinity failed to implement policies and procedures for safeguarding ePHI when returning the photocopiers to its leasing agents.
Affinity should have accounted and planned for the storage of ePHI on photocopier hard drives in its analysis of risks and vulnerabilities. OCR Director Leon Rodriguez noted, “HIPAA covered entities are required to undertake a careful risk analysis to understand the threats and vulnerabilities to individuals’ data, and have appropriate safeguards in place to protect this information.”
In addition to the settlement payment, the OCR instituted a corrective action plan (CAP) requiring Affinity to use its “best efforts” to retrieve all of the hard drives that were contained on the copiers in the possession of the leasing agent and safeguard all ePHI contained therein from impermissible disclosure.
If Affinity is unable to obtain the hard drives, Affinity must document its best efforts to do so and provide the OCR with the reason(s) Affinity was unsuccessful. Affinity must also now meet its obligation under the security rule to conduct a comprehensive risk analysis of the risks and vulnerabilities associated with its possession of ePHI and develop a plan to mitigate such risks and vulnerabilities. However, under the CAP, Affinity’s plan will be subject to the OCR’s review and approval.
It is hard to deny the similarities between the Affinity settlement and other major settlements with the OCR in the recent past. It is not, as some might believe, because each involve an unauthorized disclosure of PHI. That is certainly true, but breaches happen all the time.
Instead, the common thread is that the OCR has imposed penalties because policies did not exist, risk assessments were not performed, or policies were not followed. Accordingly, this settlement provides several important instructions for companies that handle ePHI.
First and foremost, include in your risk assessments all equipment and locations where PHI may be stored. All electronic devices with memory have the potential to store PHI, including most printers, copies, scanners and fax machines. A major goal of conducting risk assessments is to identify new and potential threats to PHI.
When copiers and fax machines were first introduced into the business environment, memory was expensive, and most devices used just enough to print one document at a time. However, as technology advanced, and the price of memory dropped, hard drives in copiers became more and more common.
If your last risk assessment was performed in the ’90s, you might have missed this particular vulnerability. That is why it is important to conduct regular risk assessments, preferably with security professionals who are knowledgeable on a wide range security topics and technology.
Second, address processes in your written policies and procedures for appropriately deleting or safeguarding such ePHI based on your risk assessment. If the device stores data, then pursuant to HHS guidance, it should be wiped before being sold or discarded. The process may be as simple as running a wiping utility on the device itself, or it may require a computer technician to pull the hard drive out of the machine manually.
Third, make sure you implement policies and procedures that govern the receipt and removal of hardware and electronic media on all electronic devices that contain ePHI. Most covered entities have already realized the importance of wiping desktop computers and laptops, but as this settlement should help demonstrate, printers and copiers are just as important.
Finally, organizations may also be best served by encrypting any ePHI that can be impermissibly accessed on electronic devices. While the HIPAA breach notification rule requires the notification of a breach of PHI, it is important to note that this requirement applies only to the breach of “unsecured” PHI.
Pursuant to HHS guidance, encryption is one way to ensure that any breach of ePHI would remain secure and, therefore, not be subject to notification requirements.
Don’t wait until the last minute to tackle these issues. In addition to reviewing your written policies and conducting a risk assessment, your business associate agreements may need to be modified, along with your notice of privacy practices if you are a covered entity.
If you are a business associate under HIPAA, for example, a lawyer who receives or creates PHI in representing covered entities, you should become informed about your newly enhanced obligations and risks under the final rule.
If you are interested in learning more about the Affinity breach, the HHS resolution agreement and corrective action plan can be found on the OCR website here. For more information on safeguarding sensitive data stored in the hard drives of digital copiers, see this page. TheNational Institute of Standards and Technology has also issued guidance on media sanitation, available here.
–By Marcia L. Augsburger, M. Scott Koller and Tiffani V. Williams, DLA Piper
Marcia Augsburger is a partner, and Scott Koller is an associate in the firm’s Sacramento, Calif., office. Tiffani Williams is an associate in the Washington, D.C., office.
The opinions expressed are those of the author(s) and do not necessarily reflect the views of the firm, its clients, or Portfolio Media Inc., or any of its or their respective affiliates. This article is for general information purposes and is not intended to be and should not be taken as legal advice