HHS Settles with Health Plan in Photocopier Breach Case
Under a settlement with the U.S. Department of Health and Human Services (HHS), Affinity Health Plan, Inc. will settle potential violations of the HIPAA Privacy and Security Rules for $1,215,780. OCR’s investigation indicated that Affinity impermissibly disclosed the protected health information of up to 344,579 individuals when it returned multiple photocopiers to a leasing agent without erasing the data contained on the copier hard drives. In addition, the investigation revealed that Affinity failed to incorporate the electronic protected health information stored in copier’s hard drives in its analysis of risks and vulnerabilities as required by the Security Rule, and failed to implement policies and procedures when returning the hard drives to its leasing agents.
- Read the Resolution Agreement - PDF
- For Information on OCR’s Enforcement Activities
- Read the Press Release
- To File a Health Information Privacy or Security Complaint
- View the Federal Trade Commission’s guidance on safeguarding sensitive data stored in the hard drives of digital copiers
- The National Institute of Standards and Technology has issued guidance on assessing the security of multipurpose office machines - PDF
- OCR offers free training
on compliance with the HIPAA Privacy and Security Rules for continuing medical education credit
