HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Photocopier Error Costs $1.2 Million in HIPAA Breach Fines

Protected Health Information can easily be disclosed to unauthorized personnel if a document is left in a photocopier after copies have been made; however digital photocopiers have potential to expose the personal health data of hundreds of thousands of individuals. When copies of files are made on a digital photocopier the files remain on the machine until they are deleted.

Many organizations and individuals forget or do not realize that this is the case and do not delete the data before scrapping the machine. Potentially, every file and document copied on the machine will be available to anyone who accesses the hard drive on the machine. All digital photocopiers sold since 2002 have included hard drive.

Under HIPAA regulations, it is mandatory for HIPAA covered organizations to erase all ePHI stored on hard drives before they are scrapped, decommissioned or returned to a leasing company. HIPAA-compliant healthcare organizations must ensure that their PCs, laptops and mobile devices have their data securely erased before they are decommissioned, in addition to photocopiers and all other devices that contain ePHI stored on hard drives.

On August 14, 2013, the Office for Civil Rights of the Department of Health and Human Services announced a settlement was reached with Affinity Health Plan, Inc. for making this error. The company had not erased the data on a number of its photocopiers when it returned them to the leasing company at the end of the contract. The data stored on the photocopiers included protected health information on up to 344,579 individuals according to a statement issued by the OCR announcing the settlement for the HIPAA violation.

Please see the HIPAA Journal Privacy Policy

3 Steps To HIPAA Compliance

Please see HIPAA Journal
privacy policy

  • Step 1 : Download Checklist.
  • Step 2 : Review Your Business.
  • Step 3 : Get Compliant!

The HIPAA Journal compliance checklist provides the top priorities for your organization to become fully HIPAA compliant.

The HIPAA breach was identified by CBS News as part of an investigatory report. CBS reporters purchased a number of digital photocopiers waiting to be sold on and were part of a batch of 6000 that were sitting in a warehouse in New Jersey. The reporters chose the copiers based on price and the numbers of documents they contained, according to the CBS report.

One of the copiers was from the Buffalo police department and contained a document on the glass from its sex crimes division. Details of wanted sex offenders and domestic complaints were included in the data obtained from the hard drives. Other machines contained lists of potential suspects from major drug raids. One photocopiers was purchased that had previously been owned by Affinity Health Plan. It contained 300 pages detailing individual patient medical records, including medical treatments, test results, diagnoses, social security numbers and personal contact information.

CBS contacted Affinity Health Plan as part of its report alerting them to the HIPAA breach and the report sparked an investigation by the Office for Civil Rights of the Department of Health and Human Services. It determined that Affinity Health Plan had failed to exercise the required controls to prevent Protected Health Information from being disclosed to unauthorized personnel when it failed to securely erase the photocopier hard drives.

Affinity Health Plan and the OCR have now arrived at a settlement of $1.2 Million for the HIPAA violations and it must also implement a corrective action plan to ensure that similar incidents do not occur in the future. A fully comprehensive risk analysis must be conducted and all of its IT systems must be assessed for security weaknesses. It must also implement the appropriate safeguards into its policies and procedures to ensure that all data is securely erased in future.

The latest breach should serve as a warning to all HIPAA covered entities and any owner of a digital photocopier. If data is not erased prior to the machine being scrapped it can easily fall into the hands of individuals, some of whom could be purchasing the machine specifically for the data it contains.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.