Recent HIPAA Breach Involves PHI Stored on the Affinity Health Plan’s Photocopiers

HIPAA Security breaches often involve computers, emails, and servers. However, a recent breach involved photocopiers, resulting in a $1.2 million resolution agreement. Affinity Health Plan’s violation was discovered by the HHS Office for Civil Rights (OCR). The health plan failed to make sure the data was erased from the photocopier’s hard drives before switching the…

HIPAA Security BreachHIPAA Security breaches often involve computers, emails, and servers. However, a recent breach involved photocopiers, resulting in a $1.2 million resolution agreement. Affinity Health Plan’s violation was discovered by the HHS Office for Civil Rights (OCR).

The health plan failed to make sure the data was erased from the photocopier’s hard drives before switching the leased copiers. As a result, over 340,000 participants’ protected health information was disclosed.

Most photocopiers built within the last decade contain hard drives that allow the copier to scan, fax, and store various documents. The hard drives also store the images of the documents scanned, however, most people don’t consider photocopiers to have long-term memories.

During its risk analysis, the Affinity Health Plan failed to consider this potential security threat. Meanwhile, the HIPAA Security Rule requires healthcare providers to account for this possibility during risk analysis.

In addition, the health plan failed to carry out an EPHI disposal policy. The OCR’s resolution agreement doesn’t include evidential proof that the PHI was disclosed past the leasing agent for the copiers. In fact, the health plan would most likely be able to retrieve the data within five days.

This settlement should provide an important reminder for healthcare organizations: most photocopiers store electronic information. It’s important to add safeguards to wipe all copiers clean before leaving the premises.

Often, photocopiers are re-leased or sold with the previous users’ data on the hard drive, leaving significant potential for disclosure of protected information. Healthcare providers will be held liable if protected health information is disclosed.

To avoid liability, healthcare providers must implement programs to deal with retiring copiers when they reach the end of their useful life or lease. The first step should involve discussing the potential risk with your IT provider. Make sure your IT department is involved in selecting, installing, and retiring copiers. When the time comes, an IT professional should make sure the hard drive is wiped of all data.

Looking for an IT company who understands HIPAA/HITECH?  Veltec Networks has experience working with medical organizations across San Jose.  Call us at (408) 849-4441 or email us at info@veltecnetworks.com and have our medical IT services team working for you. 

Check Out Veltec’s Latest Videos On Technology & Cybersecurity

Cormac Conroy, CEO of TeraSpatial Shares Why Veltec Networks Is A Great IT Company In San Jose, CA

Does Your Silicon Valley Business Have An AI Policy For Employees?

Do You Love Your IT Company In San Jose, California

Cybersecurity Consulting In San Jose California

Pro Tips On Selecting The Brand New IT Company In 2024

Outsourced IT Director San Francisco Bay Area