Protected Health Information can easily be accessed by an unauthorized personnel if a document is left in a photocopier after copies have been made; however digital photocopiers can expose the personal health data of hundreds of thousands of people.
When copies of files are made on a digital photocopier the files remain on the machine until they are deleted by the person making the copies.
Many organizations and people forget or do not realize that this is the case and do not delete the data before destroying the machine. Every file and document copied on the machine will be, possibly, available to anyone who accesses the hard drive on the copier. All digital photocopiers sold since 2002 have included a hard drive as standard.
Under HIPAA rules, it is mandatory for HIPAA covered bodies to erase all ePHI stored on hard drives before they are scrapped, decommissioned or returned to a leasing group. HIPAA-compliant healthcare organizations must make sure that their PCs, laptops and mobile devices have their data properly erased before they are decommissioned, in addition to photocopiers and all other technology that contains ePHI stored on hard drives.
On August 14, 2013, the Office for Civil Rights of the Department of Health and Human Services issued an release that a settlement had been reached with Affinity Health Plan, Inc. for making this mistake. The company had not deleted the data on a number of its photocopiers when it returned them to the leasing company at the end of the contract. The data included on the photocopiers included protected health information on up to 344,579 people according to a statement issued by the OCR announcing the settlement for the HIPAA breach.
The HIPAA breach was discovered by CBS News as part of an investigatory report. CBS reporters bought a number of digital photocopiers waiting to be sold on and were part of a batch of 6000 that were stored in a warehouse in New Jersey. The reporters chose the copiers due to the price and the numbers of documents they stored, according to the CBS report.
One of the photocopiers was from the Buffalo police department and included a document on the glass from its sex crimes division. Details of wanted sex offenders and domestic complaints were among the data obtained from the hard drives. Other machines held lists of possible suspects from major drug raids. One copier was bought that had previously been owned by Affinity Health Plan. It contained 300 pages detailing individual patient medical records, including medical treatments, test results, diagnoses, social security numbers and personal contact data.
CBS got in touch with Affinity Health Plan as part of its report warning them to the HIPAA breach and the report sparked a review by the Office for Civil Rights of the Department of Health and Human Services. It found that Affinity Health Plan had failed to exercise the necessary controls to prevent Protected Health Information from being disclosed to unauthorized personnel when it did not securely erase the photocopier hard drives.
Affinity Health Plan and the OCR have now agreed a settlement of $1.2 Million for the HIPAA violations and it must also adopt a corrective action plan to ensure that similar incidents do not happen in the future. A thorough risk analysis must be completed and all of its IT systems must be assessed for security issues. It must also put in place the appropriate safety measures into its policies and procedures to ensure that all data is securely erased going forward.
The latest violation should serve as a alert to all HIPAA covered bodies and any owner of a digital photocopier. If data is not erased before the machine is being scrapped it can easily fall into the hands of people, some of whom could be purchasing the machine specifically for the data it stores.