Dear friends,
The following article is about the application of HIPAA
requirements to information stored on photocopiers. Feel free to share this
information. If you decide to use this material, please include our copyright
designation that is shown at the end of the article and send us a copy of any
publication in which the material appears.
Please do not hesitate to contact us with comments,
questions, or requests for additional information.
Elizabeth
Elizabeth E. Hogue,
Esq.
Office:
(877) 871-4062
Fax:
(877) 871-9739
Twitter:
@HogueHomecare
HIPAA and Photocopiers
The Office of Civil Rights (OCR) of the U.S. Department of
Health and Human Services (DHHS), the primary federal enforcer of HIPAA
requirements, recently settled alleged violations by Affinity Health Plan for
$1,215,780. OCR’s investigation and settlement were based on digital
photocopiers that were leased by Affinity. The photocopiers had hard drives
that stored all information copied by the photocopier. The information stored
included medical records and other documents that contained protected health
information (PHI).
Affinity terminated its lease of the photocopiers. CBS
Broadcasting subsequently purchased a photocopier that had been leased by
Affinity. The staff at CBS found the PHI on the hard drive of the photocopier
and a representative of the CBS Evening News contacted Affinity to inform
Affinity that PHI had been inappropriately disclosed. The PHI of up to 344,579
individuals may have been disclosed without meeting applicable requirements.
This revelation triggered an OCR investigation and the settlement described
above. This investigation and settlement serves as a reminder to providers to
make certain that hard drives are wiped clean before any equipment is disposed
of by terminating leases, sale, etc.
Providers should also take this opportunity to review what
constitutes a breach under new rules effective on September 23, 2013. According
to these rules, “breach” excludes the following:
-
Any unintentional acquisition, access, or use of protected
health information by a workforce member or person acting under the authority of
a covered entity or a business associate, if such acquisition, access, or use
was made in good faith and within the scope of authority and does not result in
further use or disclosure in an impermissible manner.
-
Any inadvertent disclosure by a person who is authorized to
access protected health information at a covered entity or business associate to
another person authorized to access protected health information at the same
covered entity or business associate, or organized health care arrangement in
which the covered entity participates, and the information received as a result
of such disclosure is not further used or disclosed in an impermissible
manner.
-
A disclosure of protected health information where a
covered entity or business associate has a good faith belief that an
unauthorized person to whom the disclosure was made would not reasonably have
been able to retain such information.
-
Except for the above, an acquisition, access, use or
disclosure of protected health information in a manner not permitted is presumed
to be a breach unless the covered entity or business associate, as applicable,
demonstrates that there is a low probability that the protected health
information has been compromised based on a risk assessment of at least the
following factors:
o
The nature and extent of the protected health information
involved, including the types of identifiers and the likelihood of
re-identification;
o
The unauthorized person who used the protected health
information or to whom the disclosure was made;
o
Whether the protected health information was actually
acquired or viewed; and
o
The extent to which the risk to the protected health
information has been mitigated.
Based upon the above, providers should be reminded that not
all disclosures of PHI are breaches. Providers should apply the criteria above
on a case-by-case basis to determine whether disclosures fall into an exception
described above. If requirements of an exception are met, providers will not be
required to provide notice of breach to patients whose PHI was
compromised.
©2013 Elizabeth E. Hogue, Esq.
All rights reserved.
No portion of this material may
be reproduced in any form without the advance written permission of the
author.
No comments:
Post a Comment