Healthcare Provider Neglects to Erase ePHI on a Photocopier Hard Drive and Is Fined $1.2 Million!

ephiAre you erasing ePHI (electronic protected health information) from your photocopier hard drives prior to disposing of them? If not, you could be assessed huge fines. On August 14th 2013, the U.S. Department of Health and Human Services (HHS) and Office for Civil Rights (OCR) announced that Affinity Health Plan, Inc. must pay $1.2 million for violating the HIPAA (Health Insurance Portability and Accountability Act) Privacy and Security Rules.

How Did This Happen?

When CBS Evening News purchased a photocopier previously leased by Affinity, the copier contained confidential health information.. OCR investigated and found that Affinity Health Care failed to erase photocopier hard drives before sending them back to the leasing company. The breach affected nearly 344,579 individuals. 

How Can You Avoid This Type of ePHI Disclosure?

It’s essential that you conduct a risk analysis on photocopiers, printers, and scanners — anything used to store ePHI.

The following are three simple steps to take to avoid this type of ePHI disclosure:

1.    Assess and identify the potential vulnerabilities and security risks of ePHI stored in your photocopier hard drives.
2.    Implement policies for the disposal of ePHI stored on photocopiers hard drives.
3.    Erase photocopier hard drives properly prior to disposing, recycling, or sending them back to your leasing company.

Your healthcare organization must comply with standards and implementation specifications noted in the HIPAA Security Rule. According to the Risk Analysis implementation specification for HIPAA, you must identify and prioritize exposures that may compromise the confidentiality, integrity and availability of ePHI.  It’s essential that copiers, scanners and printers that contain ePHI are also included in this Risk Analysis.

When conducting a HIPAA Risk Analysis, it’s critical to consider all IT assets that create, maintain, receive, or transmit ePHI!

Follow these security measures to avoid ePHI disclosure:

  • Encrypt copier hard drives.
  • Hold security awareness and training for your employees.
  • Ensure that your media disposal and re-use policies comply with HIPAA.

A HIPAA breach can lead to hefty fines, reputational damage, and lost customer confidence. Avoid damage to your healthcare organization by conducting a HIPAA Risk Analysis regularly. Also, remember to update your Risk Analysis on an annual basis.

To schedule a HIPAA risk assessment, call (239) 676-6679 or send us an email at Pulse Business Solutions can help you conduct a HIPAA Risk Analysis and implement proper policies for the disposal of ePHI stored on photocopier hard drives and other computing devices.

Yes! I'm looking for the best IT services to support my business
Clients Feedback

After switching to Pulse, we were pleased to know that our IT service bills were consistent and fixed fee each month. This part was huge because finally we could plan and budget for our IT service expenses. We also appreciated the fact that Pulse would dispatch experienced technicians based on the issue at hand resulting in faster resolution of problems that arose. One of the most valuable parts of working with Pulse is that I know there will be a quick and appropriate resolution to any issue that we experience. This process gives me peace of mind because like most small businesses, we need quick and efficient responses to any and every system issue we may face. Pulse’s consistency and dependability in service is unparalleled to providers we’ve had in the past.

Consistent and Dependable
-Non-Profit Organization
Fort Myers, FL
read more»