The U.S. Department of Health and Human Services (HHS) and Office for Civil Rights announced on Wednesday, August 14, 2013 that Affinity Health Plan, Inc. will settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules for $1.2 million. Here’s today’s big RISK ANALYSIS TIP – You must subject all Printers, Copiers and Scanners to a Risk Analysis.
HIPAA Risk Analysis Tip – Yes, Risk-Analyze Printers, Copiers and Scanners
Affinity Health Plan (AHP) is a not-for-profit managed care plan serving the New York metropolitan area. Affinity estimated that up to 344,579 individuals may have been affected by this breach. OCR’s investigation indicated that Affinity impermissibly disclosed the electronic protected health information (ePHI) of these affected individuals when it returned multiple photocopiers to leasing agents without erasing the data contained on their copier hard drives.
According the the AHP Settlement Agreement / Corrective Action Plan, OCR’s investigation indicated that the following conduct occurred (“Covered Conduct”):
- AHP impermissibly disclosed the ePHI of up to 344,579 individuals when it failed to properly erase photocopier hard drives prior to sending the photocopiers to a leasing company.
- AHP failed to assess and identify the potential security risks and vulnerabilities of ePHI stored in the photocopier hard drives.
- AHP failed to implement its policies for the disposal of ePHI with respect to the aforementioned photocopier hard drives.
Affinity indicated that it was informed by a representative of CBS Evening News that, as part of an investigatory report, CBS had purchased a photocopier previously leased by Affinity. CBS informed Affinity that the copier that Affinity had used contained confidential medical information on the hard drive. Here’s a link to the 60 Minutes video story Digital Photocopiers Loaded With Secrets.
HIPAA Covered Entities and Business Associates are statutorily obligated to fully comply with all standards and implementation specifications in the HIPAA Security Rule. The Risk Analysis implementation specification at 45 CFR §164.308(a)(1)(ii)(A) requires that organizations identify and prioritize exposures that may compromise the confidentiality, integrity and availability of ePHI.
When conducting the Risk Analysis, an organization must consider exposures to all information assets that create, receive, maintain or transmit ePHI. Copiers, scanners and printers that contain ePHI must me included in this analysis.
As with any other information asset and/or underlying media type, one needs to carefully consider the threats and vulnerabilities related to hard drives stored in copiers, scanners and printers. For example, the absence of controls to prevent the “improper destruction, disposal or reuse of copier hard drives” could allow, as it did on the case of AHP, unauthorized access to ePHI. Such access compromises the confidentiality of that ePHI; in this case, of roughly 345,000 health plan members.
Controls that might have been implemented had AHP completed a bona fide risk analysis might include, but not be limited to: encryption of the copier hard drives, media re-use and disposal policy and procedures, security/privacy awareness and training and change control processes.
The Results of Doing a Bona Fide Risk Analysis
According to NIST Special Publication 800-30 Revision 1 Guide for Conducting Risk Assessments , a Risk Analysis is “the process of identifying, prioritizing, and estimating risks to organizational operations”. Done properly, all risks to all information assets and underlying media are identified so that an organization can make informed decisions about how to treat their risks. I am sure the people at AHP are competent professionals who simply didn’t have the benefit of knowing about this specific exposure related to copier hard drives. Don’t get caught in the same place — complete a robust, bona fide HIPAA Risk Analysis ASAP and update it on an annual basis.
Watch Our Recorded, On Demand Webinar
Download HIPAA Risk Analysis Buyer’s Guide Checklist
We are often asked, “How do I go about selecting a reputable firm to complete a bona fide HIPAA Security Risk Analysis?” This HIPAA Risk Analysis Buyer’s Guide Checklist is an easy-to-use tool to assist you in comparing alternative solutions and making your selection.
Other Help Getting Started With Your Bona Fide HIPAA Risk Analysis
Over the years, we’ve helped 100s of organizations complete their HIPAA Risk Analysis. Please benefit from our HIPAA Risk Analysis expertise by:
- Risk Analysis Buyer’s Guide
- Expert 2nd Opinion on Your HIPAA Risk Analysis
- Clearwater Compliance White Paper: Risky Business: How to Conduct a Bona Fide HIPAA Security Risk Analysis
- Clearwater Recorded Webinar event entitled How to Conduct a Bona Fide HIPAA Security Risk Analysis
- IRM|Analysis™- Clearwater’s Risk Analysis and Risk Management software DataSheet
- IRM|Analysis™- Clearwater’s Risk Analysis and Risk Management software Free Trial for qualified organizations
- More Risk Analysis Resources
Wanna be even more hip on HIPAA? Learn more…
The complete HIPAA Privacy, Security and Breach regulations are here.
If you’d like to keep up to date on Risk Analysis or HIPAA-HITECH in general, please also consider (all optional!):
- Attending a HIPAA Audit Prep BootCamp™
- Joining our AboutHIPAA LinkedIn Group: http://AboutHIPAALI.org
- Following me: http://www.twitter.com/ClearwaterHIPAA
- Subscribing to our eNewsletter: http://clearwaterc.wpengine.com/newsletters/
- Subscribing to our RSS feed: Clearwater HIPAA Compliance Blog
- Checking our company web site: http://clearwaterc.wpengine.com/
- Attending a HIPAA HITECH live webinar: http://abouthipaa.com/webinars/upcoming-live-webinars/
- Viewing a pre-recorded webinar: http://abouthipaa.com/webinars/on-demand-webinars/
Latest posts by Bob Chaput (see all)
- HIPAA Risk Analysis Tip – Part 5 – Questions & Answers from May 3rd Conversation with Former OCR Director Leon Rodriguez - June 5, 2017
- HIPAA Risk Analysis Tip – Part 4 – Questions & Answers from May 3rd Conversation with Former OCR Director Leon Rodriguez - May 29, 2017
- HIPAA Risk Analysis Tip – Part 3 – Questions & Answers from May 3rd Conversation with Former OCR Director Leon Rodriguez - May 21, 2017