Recent Industry News
Affinity Health Plan, Inc. (Affinity), a not-for-profit managed care plan serving the New York metropolitan area, settled a breach case under the Health Insurance Portability and Accountability Act (HIPAA) with the U.S. Department of Health and Human Services (HHS) for nearly $1.25 million. Affinity filed a breach report, as required by the Health Information Technology for Economic and Clinical Health (HITECH) Act, after being informed by CBS Evening News that a photocopier previously leased by Affinity and purchased by CBS Evening News as part of an investigatory report contained protected health information (PHI) on the hard drive.
An investigation by the HHS Office for Civil Rights (OCR) found that Affinity impermissibly disclosed the PHI of nearly 350,000 individuals when it returned multiple photocopiers to leasing agents without erasing data on the hard drives. The OCR also found that Affinity failed to incorporate the electronic PHI (ePHI) stored on photocopier hard drives in its analysis of risks and vulnerabilities required by the HIPAA Security Rule, and failed to implement policies and procedures when returning the photocopiers to leasing agents. The settlement includes a corrective action plan requiring Affinity to use its best efforts to retrieve all photocopier hard drives used by the plan that remain in the possession of the leasing agent, and to take measures to safeguard all ePHI.
The HHS news release on the photocopier breach case is available at:
Department of Health and Human Services. “HHS Settles with Health Plan in Photocopier Breach Case.” News Release. 14 Aug. 2013.