Who knew that photocopiers stored information? Apparently “CBS Evening News” did, and now an April 2010 investigative report has led to a million-dollar HIPAA settlement.

Affinity Health Plan, Inc. (Affinity), a New York-based, not-for-profit health plan, agreed to pay the Office for Civil Rights (OCR) $1,215,780 to settle potential violations of the Health Information Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules. The settlement resulted from a breach self-report by Affinity, which first learned of the electronic protected health information (PHI) stored on its formerly leased photocopier’s hard drive from “CBS Evening News” (CBS).

In April 2010, CBS conducted an investigative report on the security risks associated with digital photocopiers, which, since 2002, typically contain hard drives that can store an image of every document copied, scanned, or emailed from the machine. As part of the investigation, CBS purchased four randomly selected used photocopiers, including one previously leased by Affinity. On the machine’s hard drive, CBS found 300 pages of individuals’ medical records.

Following Affinity’s breach self-report, OCR found that Affinity impermissibly disclosed PHI of up to 344,579 individuals when it returned multiple photocopiers to leasing agents without erasing the data contained on the machines’ hard drives. OCR further determined that Affinity (1) failed to include electronic PHI stored on photocopiers’ hard drives in its required Security Rule risk analysis, and (2) failed to implement its existing policies and procedures when returning photocopiers to its leasing agents.

In addition to the $1.2 million settlement, the Resolution Agreement between OCR and Affinity included a corrective action plan (CAP). The CAP requires Affinity to use its best efforts to retrieve all hard drives that were contained on photocopiers previously leased by Affinity and that remain in the possession of the leasing agent. Affinity must also (1) conduct a comprehensive risk analysis that incorporates all electronic equipment and systems controlled, owned, or leased by Affinity; (2) develop a plan to address and mitigate security risks and vulnerabilities found in its analysis; and (3) if necessary, revise its current policies and procedures accordingly.

The global take-away from this latest enforcement action is that an entity’s failure to comply with the obligation to conduct a comprehensive Security Rule risk analysis remains OCR’s primary, and most often used, trigger to take significant enforcement action. Since almost every business uses photocopiers, Affinity serves as a reminder that all covered entities and business associates should implement policies and procedures to ensure that all hard drives are scrubbed of PHI before leaving their possession. More information on safeguarding sensitive data stored in the hard drives of digital photocopiers can be found here.

For additional information on OCR’s enforcement activities, visit the U.S. Department of Health and Human Services website.