$1.2M fine for health plan's HIPAA violations

The Department of Health & Human Services Office of Civil Rights has been warning healthcare providers to conduct risk analyses and act on any deficiencies discovered. A settlement between the government and Affinity Health Plan confirms that this advice is worth heeding.

Affinity, a not-for-profit managed care plan serving the New York Metropolitan area, will settle potential HIPAA violations for $1,215,780.

A photocopier the health plan previously leased was sold to the CBS television network. The CBS Evening News, as part of an investigation, found that the copier had protected health information on the hard drive. Affinity estimated that the breach affected 344,579 individuals.

“OCR’s investigation indicated that Affinity impermissibly disclosed the protected health information of these affected individuals when it returned multiple photocopiers to leasing agents without erasing the data contained on the copier hard drives,” according to the OCR announcement. “In addition, the investigation revealed that Affinity failed to incorporate the electronic protected information stored on photocopier hard drives in its analysis of risks and vulnerabilities as required by the Security Rule, and failed to implement policies and procedures when returning the photocopiers to its leasing agents.”

Among requirements in the correction action plan, Affinity will use “best efforts” to retrieve all hard drives that were contained on photocopiers it previously leased that remain in possession of the leasing agent, and to take additional measures to safeguard electronic protected health information. The resolution agreement between OCR and Affinity is available here.