As I've asked before in this Blog, does your medical practice's copier have a hard drive? Failure to scrub and erase data when you dispose of a copier can get you in a lot of HIPAA trouble. Just ask the New York insurer Affinity Health Plan! It was announced the Plan will pay $1.2 million to resolve allegations it breached the Health Insurance Portability and Accountability Act by returning leased photocopiers without scrubbing their hard drives of protected data involving 345,000 patients. Affinity learned of the potential leak from reporters with the CBS Evening News, who purchased one of the photocopiers and discovered electronic patient records, according to the U.S. Department of Health and Human Services.
This settlement illustrates an important reminder about equipment designed to retain electronic information: Make sure that all personal information is wiped from hardware before it’s recycled, thrown away or sent back to a leasing agent. It is also important to note that in addition to its alleged failure to delete data before returning the copiers, Affinity also neglected to incorporate electronic patient health information into the HIPAA Security Rule’s required analysis of potential risks to customer privacy the HHS said.
My question is: When was the last time you assessed potential HIPAA risks for your physician medical practice? There are more risks than you might think.