Healthcare Provider Neglects to Erase ePHI on a Photocopier Hard Drive and Is Fined $1.2 Million!

January 12th, 2014

ephiAre you erasing ePHI (electronic protected health information) from your photocopier hard drives prior to disposing of them? If not, you could be assessed huge fines. On August 14th 2013, the U.S. Department of Health and Human Services (HHS) and Office for Civil Rights (OCR) announced that Affinity Health Plan, Inc. must pay $1.2 million for violating the HIPAA (Health Insurance Portability and Accountability Act) Privacy and Security Rules.

How Did This Happen?

When CBS Evening News purchased a photocopier previously leased by Affinity, the copier contained confidential health information.. OCR investigated and found that Affinity Health Care failed to erase photocopier hard drives before sending them back to the leasing company. The breach affected nearly 344,579 individuals. 

How Can You Avoid This Type of ePHI Disclosure?

It’s essential that you conduct a risk analysis on photocopiers, printers, and scanners — anything used to store ePHI.

The following are three simple steps to take to avoid this type of ePHI disclosure:

1.    Assess and identify the potential vulnerabilities and security risks of ePHI stored in your photocopier hard drives.
2.    Implement policies for the disposal of ePHI stored on photocopiers hard drives.
3.    Erase photocopier hard drives properly prior to disposing, recycling, or sending them back to your leasing company.

Your healthcare organization must comply with standards and implementation specifications noted in the HIPAA Security Rule. According to the Risk Analysis implementation specification for HIPAA, you must identify and prioritize exposures that may compromise the confidentiality, integrity and availability of ePHI.  It’s essential that copiers, scanners and printers that contain ePHI are also included in this Risk Analysis.

When conducting a HIPAA Risk Analysis, it’s critical to consider all IT assets that create, maintain, receive, or transmit ePHI!

Follow these security measures to avoid ePHI disclosure:

  • Encrypt copier hard drives.
  • Hold security awareness and training for your employees.
  • Ensure that your media disposal and re-use policies comply with HIPAA.

A HIPAA breach can lead to hefty fines, reputational damage, and lost customer confidence. Avoid damage to your healthcare organization by conducting a HIPAA Risk Analysis regularly. Also, remember to update your Risk Analysis on an annual basis.

To schedule a HIPAA risk assessment, call {phone} or send us an email at {email}. {company} can help you conduct a HIPAA Risk Analysis and implement proper policies for the disposal of ePHI stored on photocopier hard drives and other computing devices.

Leave a comment!

Your email address will not be published. Required fields are marked *