Health plan pays $ 1.2 million for failure to recognize HIPAA risk
Remember when copiers were simple—just paper in, copies out? Once they began scanning and faxing, copiers evolved not just in capability, but as a HIPAA risk. A health plan just paid a $ 1.2 million penalty because a copier it discarded ended up on the TV news.
Buried in your copier is a hard drive used to create an image of the original page that is then sent to a folder, attached to an e-mail, or sent by fax. Over 20,000 images can stay on the drive long after you have walked away, lurking as a HIPAA risk.
If the drive is not removed from the copier when your lease is up or if you replace it, or if a repair includes the replacement of the drive, your old drive can become an expensive data breach. Just ask Affinity Health Plan, since it just paid $ 1,215,780 for a breach that it reported over three years ago. CBS Evening News bought a used copier previously leased by Affinity and discovered confidential information on the drive. (Like you, I wonder too why it took 3 years for the penalty after the breach was reported.)
Watch the CBS Evening News — Copier Vulnerabilities Exposed
Affinity Health Plan is a not-for-profit managed care plan serving the New York metropolitan area. It estimated that up to 344,579 individuals may have had their data breached. The investigation by the US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) revealed that Affinity had not included its copiers in its HIPAA Risk Analysis, the first requirement of HIPAA and the foundation for eliminating or reducing risks associated with electronic Protected Health Information (ePHI.) By missing this HIPAA risk, Affinity did not erase the drives prior to returning the copiers after their lease.
Others have learned from this breach, and have taken steps to reduce the HIPAA risk hiding unnoticed in copiers. Recently a health care provider in Las Vegas was notified by its copier company that their copiers were going to be replaced. The vendor included a checklist detailing how the data was going to be removed from the copiers’ hard drives—prior to the copiers leaving the office. This vendor was on the ball when it came to HIPAA risk awareness, and reduced the possibility of a data breach both for their company and their client by erasing the drives on site.
Multifunction copier vendors also get it. Xerox has published a document detailing the security in its multifunction devices. These include features like automatic erasure (think electronic shredding) of document images; drive encryption; and even lockable caddies attached to the back of the copier so no one can access the hard drive. Xerox also allows its technicians to leave replaced drives with their healthcare clients, eliminating the possibility of a breach.
Because your copiers store ePHI you will understand why your copier installation and repair company is a HIPAA Business Associate. They must sign a Business Associate Agreement and implement a complete HIPAA compliance program. If they don’t, you will be giving them unauthorized access to Protected Health Information—a data breach. After September 23, they will be directly liable for any data breaches they cause, even if they have not signed a Business Associate Agreement. You will still be liable if you allow them to take a copier or a drive containing patient data.
Steps you should take now include adding your copiers to your HIPAA Risk Analysis; signing a Business Associate Agreement with your copier company; making sure the drives are erased before returning a copier from a lease or replacing it; and ensuring that any drives removed for service are erased or left with you for proper disposal.