Last summer, Affinity Health Plan Inc., a not-for profit managed healthcare plan in New York, made headlines for all the wrong reasons. Affinity agreed to pay the Department of Health and Human Services Office for Civil Rights more than $1.2 million to settle potential violations of the Health Insurance Portablility and Accountability Act’s privacy and security rules arising from Affinity’s return of a leased photocopier.
The returned copier’s hard drive — yes, newer model copiers have hard drives — contained confidential protected health information for more than 340,000 patients. Following Affinity’s return of the copier, it was then leased to CBS Broadcasting Inc., which discovered the confidential information and alerted Affinity.
