The next time you walk by your office copier or fax machine, plug a flash drive into a universal serial bus port on your computer, or pull your smartphone out of your pocket, consider the amount of data that has crossed through that device. More importantly, consider the type of data that has crossed through that device. This simple exercise could save you a lot of headaches and a lot of money.
This week, the U.S. Department of Health & Human Services' Office for Civil Rights announced a settlement with Affinity Health Plan Inc. (Affinity), a nonprofit managed care plan serving the New York metropolitan area, for alleged Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rule violations. The damage? $1,215,780 and a corrective action plan. The problem? Affinity failed to identify the potential security risks and vulnerabilities of electronic protected health information (PHI) stored in copier hard drives and failed to properly dispose of the electronic PHI before returning its leased copiers back to the leasing company. A subsequent purchaser of one of the copiers (which happened to be CBS Evening News) discovered PHI on the copier's hard drive. The PHI of up to 344,579 individuals was compromised by this simple oversight.
Such a simple oversight can be costly, however. Prior to February 18, 2009, a HIPAA violation could result in a civil monetary penalty of not more than $100 for each violation, up to $25,000 for identical violations in a calendar year. The Health Information Technology for Economic and Clinical Health Act (HITECH) dramatically increased penalties for HIPAA violations occurring on or after February 18, 2009. The penalty per violation now increases depending on the level of culpability involved and can range from $100 to $50,000 per violation. Failing to correct a violation in a timely manner, if the violation was due to willful neglect, would result in a minimum penalty of $50,000 per violation. Under HITECH, the cap for identical violations in a calendar year increased to $1.5 million.
In light of the increased penalties under HITECH and the ever-changing technological landscape, covered entities--and now business associates--must vigilantly assess the risks these newer technologies pose to the privacy and security of electronic PHI in their possession. Electronic equipment with any type of memory or storage media has the capacity to retain data passed through it long after the data is believed to be removed or deleted. Simply emptying your computer's recycle bin, for example, does not delete the files it contained from your computer. Instead, it frees the storage space containing those files so that they may be overwritten by new data. This space may not be immediately overwritten, so a technologically savvy individual could access that "deleted" information with relative ease. This is the case even on something as innocuous as the office copier, as Affinity can now attest.
To help protect against these hazards, covered entities and business associates, in compliance with the Security Rule, should undertake periodic risk assessments to ensure that any potential risks and vulnerabilities inherent in any existing or newly acquired technology are known and adequately addressed by the entity. Covered entities and business associates need to adopt policies and procedures that address those risks and vulnerabilities, including the disposal of electronic PHI and any hardware or media on which it is stored.
The Federal Trade Commission has published helpful guidance on copier data security. The National Institute of Standards and Technology (NIST) has published helpful guidelines for media sanitation (Guidelines). NIST's guidance is presently undergoing revision. Access a draft of its updated Guidelines.
Copyright 2013, American Health Lawyers Association, Washington, DC. Reprint permission granted