Is Your Xerox Machine Violating HIPAA?

The next time you go visit your doctor's office and notice an employee using the office copy machine, consider the type and volume of data that has crossed through that device -- consider how many patients' protected health information (PHI) is stored in the copier hard drives.

This is a consideration that New York-based Affinity Health Plan, Inc. failed to make before returning its leased copiers back to the leasing company.  As luck would have it, CBS Evening News was the subsequent purchaser of those copiers.  Much to their surprise, CBS discovered the PHI of 344,559 individuals on the copier's hard drive.  

Affinity settled the claim of the alleged massive HIPAA breach for $1,215,780 and the promise to institute a corrective action plan.  

"Electronic equipment with any type of memory or storage media has the capacity to retain data passed through it long after the data is believed to be removed or deleted." (Kevin Alonso, Esq., Arant Boult Cummings LLP, Nashville, TN.)  In light of the risks that newer technologies pose to the privacy and security of PHI, covered entities (health care providers, health plans or health care clearinghouses who transmit any information in electronic form), and now business associates (one who contracts to help a covered entity carry out its health care activities and functions), must do more than empty their computers' Recycling Bins in order to remain HIPAA compliant.