Could your Photo Copier create a HIPAA Violation?

Stephen Tweed | February 3, 2014 | News and Views
Dear friends, The following article is about the application of HIPAA requirements to information stored on photocopiers.  Feel free to share this information.  If you decide to use this material, please include our copyright designation that is shown at the end of the article and send us a copy of any publication in which the…
Dear friends,
The following article is about the application of HIPAA requirements to information stored on photocopiers.  Feel free to share this information.  If you decide to use this material, please include our copyright designation that is shown at the end of the article and send us a copy of any publication in which the material appears.
Please do not hesitate to contact us with comments, questions, or requests for additional information.
Elizabeth
Elizabeth E. Hogue, Esq.
Office: (877) 871-4062
Fax: (877) 871-9739
Twitter: @HogueHomecare

HIPAA and Photocopiers
The Office of Civil Rights (OCR) of the U.S. Department of Health and Human Services (DHHS), the primary federal enforcer of HIPAA requirements, recently settled alleged violations by Affinity Health Plan for $1,215,780.  OCR’s investigation and settlement were based on digital photocopiers that were leased by Affinity.  The photocopiers had hard drives that stored all information copied by the photocopier.  The information stored included medical records and other documents that contained protected health information (PHI).
Affinity terminated its lease of the photocopiers.  CBS Broadcasting subsequently purchased a photocopier that had been leased by Affinity.  The staff at CBS found the PHI on the hard drive of the photocopier and a representative of the CBS Evening News contacted Affinity to inform Affinity that PHI had been inappropriately disclosed.  The PHI of up to 344,579 individuals may have been disclosed without meeting applicable requirements.  This revelation triggered an OCR investigation and the settlement described above.  This investigation and settlement serves as a reminder to providers to make certain that hard drives are wiped clean before any equipment is disposed of by terminating leases, sale, etc.
Providers should also take this opportunity to review what constitutes a breach under new rules effective on September 23, 2013.  According to these rules, “breach” excludes the following:
        Any unintentional acquisition, access, or use of protected health information by a workforce member or person acting under the authority of a covered entity or a business associate, if such acquisition, access, or use was made in good faith and within the scope of authority and does not result in further use or disclosure in an impermissible manner.
        Any inadvertent disclosure by a person who is authorized to access protected health information at a covered entity or business associate to another person authorized to access protected health information at the same covered entity or business associate, or organized health care arrangement in which the covered entity participates, and the information received as a result of such disclosure is not further used or disclosed in an impermissible manner.
        A disclosure of protected health information where a covered entity or business associate has a good faith belief that an unauthorized person to whom the disclosure was made would not reasonably have been able to retain such information.
        Except for the above, an acquisition, access, use or disclosure of protected health information in a manner not permitted is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised based on a risk assessment of at least the following factors:
o   The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification;
o   The unauthorized person who used the protected health information or to whom the disclosure was made;
o   Whether the protected health information was actually acquired or viewed; and
o   The extent to which the risk to the protected health information has been mitigated.
Based upon the above, providers should be reminded that not all disclosures of PHI are breaches. Providers should apply the criteria above on a case-by-case basis to determine whether disclosures fall into an exception described above.  If requirements of an exception are met, providers will not be required to provide notice of breach to patients whose PHI was compromised.
©2013 Elizabeth E. Hogue, Esq.  All rights reserved.
No portion of this material may be reproduced in any form without the advance written permission of the author.
Stephen Tweed
Stephen Tweed, CSP, began his journey as a business strategist in home health care in 1982. Today, Stephen is among the top thought leaders in Home Care strategy and management. He has worked with top 5% companies from across the US. He is a sought after speaker at from national and state association events.

Related Posts

Extraordinary Transformation: A blueprint for leaders who want to Transform their Organization

June 5, 2024
By Stephen Tweed As a leader in Home Care, are you working on transforming your organization? Are you looking for strategies and insights to grow your business and get ready for the future? I've just finished reading an amazing book by my friend and professional speaking colleague, Dr. Nido Qubein. "Extraordinary Transformation: An Entrepreneurial Blueprint…

Stephen Tweed’s Podcast and Webinar Appearances

May 30, 2024
As a significant Thought Leader in the Home Care industry, Stephen Tweed is frequently invited to be a guest on industry podcasts and webinars. Here are links to some of Stephen's recent appearances. May 2024 - "The Power of Peer Groups: How Home Care CEOs Propel the Industry's Growth" Stephen was interviewed by Ruby Mehta,…

The Forces and Trends Shaping the Future of Home Care.

May 14, 2024
By Stephen Tweed What will the Home Care Industry look like in five years? Over the past two decades I've been actively engaged in the Home Care Industry, and monitoring the Forces and Trends that are shaping the future of our industry. While much of the growth of Home Care is driven my the entrepreneurial…