Legal: Don't forget about HIPAA changes

Q. Should I be concerned about HIPAA changes?
Tuesday, September 24, 2013

A. Historically, HIPAA and patient privacy have not been areas of significant concern for DME suppliers. However, because of recent increases in HIPAA enforcement, DME suppliers should confirm their compliance with state and federal patient privacy laws. One recent enforcement action is emblematic of how easily HIPAA can be breached.    

Affinity, a nonprofit managed care plan in New York, leased photocopiers from a leasing company. When it was time to return the photocopiers, Affinity failed to properly erase the photocopiers’ hard drives. Affinity learned of the breach when a television broadcasting company purchased one of the photocopiers that Affinity had leased and discovered confidential medical information on the photocopier’s hard drive. Affinity disclosed the breach to the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) on April 15, 2010.

OCR’s investigation concluded that: 1) Affinity impermissibly disclosed the electronic protected health information (e-PHI) of up to 344,579 individuals by failing to erase the hard drives of the photocopiers prior to sending them back to a leasing company; 2) Affinity failed to assess and identify the potential security risks and vulnerabilities of e-PHI stored in the photocopier hard drives; and (c) Affinity failed to implement its policies for the disposal of e-PHI with the photocopier hard drives. 

On Aug. 7, 2013, Affinity agreed to settle with HHS for $1,215,780. Affinity also agreed to enter into and comply with a correction action plan. Under the plan, Affinity must attempt to retrieve all photocopier hard drives it previously leased. It must also conduct a comprehensive risk analysis of the e-PHI security risks and vulnerabilities to Affinity’s electronic equipment and systems that are either leased or owned by Affinity. Furthermore, Affinity must develop a plan that addresses and mitigates any security risk and vulnerabilities found in Affinity’s risk analysis. Lastly, Affinity must provide OCR a revised plan, and upon approval, distribute and train staff members on the revised plan’s policies and procedures.

Edward Vishnevetsky is an associate with Munsch Hardt Knopf & Harr. Reach him at or 214-855-7546.