By LINDSAY DARLING PETROSKY
Beginning on Sept. 23, covered entities (including health care providers, group health plans, and health care clearinghouses) and their business associates (including vendors and law firms, among many others, who receive protected health information (PHI) from a covered entity) must comply with the HIPAA/HITECH Omnibus Final Rule requirements.
This includes updates to Notice of Privacy Practices, revisions to Business Associate Agreements, direct application of the HIPAA Privacy and Security Rules to business associates and their subcontractors, and increased penalties for non-compliance.
Last week, the U.S. Department of Health and Human Services, Office for Civil Rights (HHS) entered into a settlement agreement with Affinity Health Plan, Inc., which provides a scary illustration of just how costly noncompliance can be. In the agreement, Affinity Health Plan – a nonprofit-managed care plan – agreed to settle potential violations of the HIPAA Privacy and Security Rules for $1,215,780.
The settlement resulted from Affinity’s April 15, 2010, report filed under the HITECH Breach Notification Rule, which requires HIPAA-covered entities to notify HHS when a breach of unsecured PHI occurs. What was the breach that cost Affinity almost $1.25 million dollars? The failure to erase data contained on the hard drives of photocopiers that Affinity formerly leased.
Affinity indicated that a representative of CBS Evening News informed Affinity that, as a part of an investigatory report, CBS had purchased a photocopier previously leased by Affinity and that the copier contained confidential medical information on the hard drive.
Affinity estimated that up to 344,579 individuals may have been affected by the breach. The investigation indicated that Affinity “impermissibly disclosed” the electronic PHI “when it failed to properly erase photocopier hard drives prior to sending the photocopiers to a leasing company.”
The investigation also determined that Affinity “failed to assess and identify the potential security risks and vulnerabilities” of electronic PHI stored on photocopier hard drives as required by the Security Rule, and “failed to implement policies for the disposal of EPHI” when returning the photocopiers to its leasing agents.
In addition to the $1,215,780 payment, the settlement agreement includes a corrective action plan, which requires Affinity to “use its best efforts to retrieve all photocopier hard drives” previously leased by Affinity that remain in possession of the leasing agent and to take measures to safeguard all electronic PHI.
Lindsay Darling Petrosky is an attorney in Jackson Kelly's Charleston and Pittsburgh office's. This editorial appeared on the firm's Health Law Monitor blog.