The U.S. Department of Health and Human Services (HHS) and Office for Civil Rights announced on Wednesday, August 14, 2013 that Affinity Health Plan, Inc. will settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules for $1.2 million.  Here’s today’s big RISK ANALYSIS TIP – You must subject all Printers, Copiers and Scanners to a Risk Analysis.  

HIPAA Risk Analysis Tip – Yes, Risk-Analyze Printers, Copiers and Scanners

Affinity Health Plan (AHP) is a not-for-profit managed care plan serving the New York metropolitan area.  Affinity estimated that up to 344,579 individuals may have been affected by this breach. OCR’s investigation indicated that Affinity impermissibly disclosed the electronic protected health information (ePHI) of these affected individuals when it returned multiple photocopiers to leasing agents without erasing the data contained on their copier hard drives.

The Problem


According the the AHP Settlement Agreement / Corrective Action Plan, OCR’s investigation indicated that the following conduct occurred (“Covered Conduct”):

  1. AHP impermissibly disclosed the ePHI of up to 344,579 individuals when it failed to properly erase photocopier hard drives prior to sending the photocopiers to a leasing company.
  2. AHP failed to assess and identify the potential security risks and vulnerabilities of ePHI stored in the photocopier hard drives.
  3. AHP failed to implement its policies for the disposal of ePHI with respect to the aforementioned photocopier hard drives.

Affinity indicated that it was informed by a representative of CBS Evening News that, as part of an investigatory report, CBS had purchased a photocopier previously leased by Affinity. CBS informed Affinity that the copier that Affinity had used contained confidential medical information on the hard drive.  Here’s a link to the 60 Minutes video story Digital Photocopiers Loaded With Secrets.

The Solution

HIPAA Covered Entities and Business Associates are statutorily obligated to fully comply with all standards and implementation specifications in the HIPAA Security Rule.  The Risk Analysis implementation specification at 45 CFR §164.308(a)(1)(ii)(A) requires that organizations identify and prioritize exposures that may compromise the confidentiality, integrity and availability of ePHI.

When conducting the Risk Analysis, an organization must consider exposures to all information assets that create, receive, maintain or transmit ePHI.  Copiers, scanners and printers that contain ePHI must me included in this analysis.

As with any other information asset and/or underlying media type, one needs to carefully consider the threats and vulnerabilities related to hard drives stored in copiers, scanners and printers.  For example, the absence of controls to prevent the “improper destruction, disposal or reuse of copier hard drives” could allow, as it did on the case of AHP, unauthorized access to ePHI.  Such access compromises the confidentiality of that ePHI; in this case, of roughly 345,000 health plan members.

Controls that might have been implemented had AHP completed a bona fide risk analysis might include, but not be limited to: encryption of the copier hard drives, media re-use and disposal policy and procedures, security/privacy awareness and training and change control processes.

The Results of Doing a Bona Fide Risk Analysis

According to NIST Special Publication 800-30 Revision 1 Guide for Conducting Risk Assessments , a Risk Analysis is “the process of identifying, prioritizing, and estimating risks to organizational operations”.  Done properly, all risks to all information assets and underlying media are identified so that an organization can make informed decisions about how to treat their risks.  I am sure the people at AHP are competent professionals who simply didn’t have the benefit of knowing about this specific exposure related to copier hard drives.  Don’t get caught in the same place — complete a robust, bona fide HIPAA Risk Analysis ASAP and update it on an annual basis.

Watch Our Recorded, On Demand Webinar

Download HIPAA Risk Analysis Buyer’s Guide Checklist

We are often asked, “How do I go about selecting a reputable firm to complete a bona fide HIPAA Security Risk Analysis?”  This HIPAA Risk Analysis Buyer’s Guide Checklist is an easy-to-use tool to assist you in comparing alternative solutions and making your selection.

Other Help Getting Started With Your Bona Fide HIPAA Risk Analysis

Over the years, we’ve helped 100s of organizations complete their HIPAA Risk Analysis. Please benefit from our HIPAA Risk Analysis expertise by:

Wanna be even more hip on HIPAA? Learn more…

The complete HIPAA Privacy, Security and Breach regulations are here.

If you’d like to keep up to date on Risk Analysis or HIPAA-HITECH in general, please also consider (all optional!):

Series Navigation<< HIPAA Risk Analysis Tip – Eligible Provider EHR Pre-Payment Audit Document RequestHIPAA Risk Analysis Tip – You First Need to Understand Risk In order to Conduct a Risk Analysis >>

Bob Chaput

CEO at Clearwater Compliance
Bob Chaput is widely recognized for his extensive and in-depth knowledge of healthcare compliance and cyber risk management, and is one of the industry’s leading authorities in healthcare information security today. As a leading authority safeguarding health data, Chaput has supported hundreds of hospitals and health systems to successfully manage healthcare’s evolving cybersecurity threats and ensure patient safety.