$1.2 Million HIPAA Breach Settlement with Health Plan

Recently, a non-profit managed care plan in the New York City area entered into a Resolution Agreement with the U.S. Department of Health and Human Services, Office of Civil Rights (OCR) for alleged HIPAA violations, settling the matter for over a million dollars ($1,215,780), with additional corrective action. 

The managed care plan, Affinity Health Plan, Inc. (“Affinity”) received notification of the alleged breach from a CBS Evening News representative, who as part of a CBS investigation, had purchased a photocopier previously leased by Affinity.  CBS discovered protected health information (PHI) remained on the photocopier’s hard drive.  Affinity estimated that as many as 344, 579 persons may have been affected by the breach. Pursuant to the Breach Notification Rule, promulgated under the Health Information Technology for Economic and Clinical Health (HITECH) Act, Affinity filed a breach report with OCR in April 2010.

Upon investigation by OCR, it was determined that Affinity had returned leased photocopiers without erasing (or destroying, i.e., rendering unusable, unreadable, or indecipherable) the information contained on the photocopier’s hard drives, which included patients’ PHI.  It was also determined that Affinity had not incorporated the data on the photocopiers in its Security Risk Assessment as required under the HIPAA Security Rule, nor did it implement appropriate HIPAA policies and procedures, such that the PHI would have been destroyed when returning the photocopiers.  Therefore, in addition to the large settlement payment, as part of its Corrective Action Plan, it must also take additional measures to safeguard all electronic PHI (ePHI), including using its “best efforts” to locate all photocopier hard drives previously leased. Affinity’s Resolution Agreement and Corrective Action Plan can be found on the OCR website at: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/affinity-agreement.html.

So what does this all mean?  First, as we have mentioned before, the HIPAA Compliance deadline is looming within the next month (September 23, 2013).  Do you qualify as a HIPAA covered entity?  If yes, does your practice have HIPAA policies and procedures in place, which have been updated since the issuance of the HIPAA “Final Rule” in January 2013?  Do these policies include a Security Risk Assessment to be performed on a regular basis?  We recommend such an Assessment be performed at least annually, and would include confirming procedures regarding the return or retirement of electronic media AND the destruction of ePHI so that it is rendered unusable, unreadable, and indecipherable. 

As evidenced by Affinity’s corrective action plan with OCR, HIPAA breaches are a serious, and expensive matter, with penalties ranging up to $1.5 million, per violation.  If your practice qualifies as a HIPAA covered entity, please contact Susan Ziel at sziel@kdlegal.com, or Jaya White at jwhite@kdlegal.com, to learn more about how our firm can assist you to achieve full compliance with the HIPAA Final Rule requirements in advance of the September 23, 2013 compliance deadline.