There’s a saying that once you’ve taken your sword out of its sheath, it’s hard to put it back in. It appears to perfectly describe the stance on monetary penalties that is being handed out by the Department of Health and Human Services (HHS): not content with fining Mass General Hospital $1 million in 2011 and Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates for $1.5 million in 2012, the HHS has now reached a settlement with Affinity Health Plan for $1.2 million.
With the Final Omnibus Rule going into effect on September 23, it means HIPAA covered entities should take the time to ensure that they are following HIPAA and HITECH, such as using laptop encryption software to secure data on portable computers.
Photocopier at the Center of the Penalty
Why was Affinity Health Plan fine for $1.2 million? Because they forgot to sanitize their photocopier. And I’m not referring to the lack of Purell in the machine.
According to the complaint, CBS contacted Affinity in 2010 as part of a news story into modern day copiers. Like your car, photocopiers also have a significantly computerized component to them. CBS obtained used photocopiers in the market, and one of the machines’ hard drives contained Affinity’s data.
The HHS Office of Civil Rights looked into the situation and found that approximately 340,000 people were affected by this particular data breach. The sheer number of people affected pretty much guaranteed a fine.
In Affinity’s defense, most people in 2010 didn’t know that photocopiers were really computers. But then, it didn’t really require one to be a rocket scientist to figure it out: a machine that essentially scans your document and creates 15 different copies all collated in reverse order means images are being stored somewhere.
Ignorance is never and cannot be an excuse for failing the law, however. Hence the fine (or if you prefer, settlement).
While the above fine has nothing to do with laptops, the Mass Eye and Ear case did: a laptop computer that was not secured with encryption software was lost, triggering the $1.5 million fine.
The message here is that HIPAA covered entities (and beginning in late September, their Business Associates) must pay attention to ePHI in all its forms. The use of laptop encryption is a no brainer. But, photocopiers, CDs, DVDs, backup tapes, smartphones, USB flashdrives and any storage media where ePHI can be stored must be secured in some way.
Related Articles and Sites: