Share this article on:
Protected Health Information can easily be disclosed to unauthorized personnel if a document is left in a photocopier after copies have been made; however digital photocopiers have potential to expose the personal health data of hundreds of thousands of individuals. When copies of files are made on a digital photocopier the files remain on the machine until they are deleted.
Many organizations and individuals forget or do not realize that this is the case and do not delete the data before scrapping the machine. Potentially, every file and document copied on the machine will be available to anyone who accesses the hard drive on the machine. All digital photocopiers sold since 2002 have included hard drive.
Under HIPAA regulations, it is mandatory for HIPAA covered organizations to erase all ePHI stored on hard drives before they are scrapped, decommissioned or returned to a leasing company. HIPAA-compliant healthcare organizations must ensure that their PCs, laptops and mobile devices have their data securely erased before they are decommissioned, in addition to photocopiers and all other devices that contain ePHI stored on hard drives.
On August 14, 2013, the Office for Civil Rights of the Department of Health and Human Services issued an announcement that a settlement had been reached with Affinity Health Plan, Inc. for making this error. The company had not erased the data on a number of its photocopiers when it returned them to the leasing company at the end of the contract. The data stored on the photocopiers included protected health information on up to 344,579 individuals according to a statement issued by the OCR announcing the settlement for the HIPAA violation.
The HIPAA breach was identified by CBS News as part of an investigatory report. CBS reporters purchased a number of digital photocopiers waiting to be sold on and were part of a batch of 6000 that were sitting in a warehouse in New Jersey. The reporters chose the copiers based on price and the numbers of documents they contained, according to the CBS report.
One of the copiers was from the Buffalo police department and contained a document on the glass from its sex crimes division. Details of wanted sex offenders and domestic complaints were included in the data obtained from the hard drives. Other machines contained lists of potential suspects from major drug raids. One photocopiers was purchased that had previously been owned by Affinity Health Plan. It contained 300 pages detailing individual patient medical records, including medical treatments, test results, diagnoses, social security numbers and personal contact information.
CBS contacted Affinity Health Plan as part of its report alerting them to the HIPAA breach and the report sparked an investigation by the Office for Civil Rights of the Department of Health and Human Services. It determined that Affinity Health Plan had failed to exercise the required controls to prevent Protected Health Information from being disclosed to unauthorized personnel when it failed to securely erase the photocopier hard drives.
Affinity Health Plan and the OCR have now arrived at a settlement of $1.2 Million for the HIPAA violations and it must also implement a corrective action plan to ensure that similar incidents do not occur in the future. A fully comprehensive risk analysis must be conducted and all of its IT systems must be assessed for security weaknesses. It must also implement the appropriate safeguards into its policies and procedures to ensure that all data is securely erased in future.
The latest breach should serve as a warning to all HIPAA covered entities and any owner of a digital photocopier. If data is not erased prior to the machine being scrapped it can easily fall into the hands of individuals, some of whom could be purchasing the machine specifically for the data it contains.