Trouble with images? View as a Web page.

Polsinelli - Environmental and Natural Resources

September 2013


Under the New HIPAA Regime, a Lost Laptop Costs $1.5 Million but a Leased Photocopier Costs Almost as Much


Health Care Attorneys:


Matthew J. Murer

Practice Area Chair


Jane E. Arnold

Practice Area Vice Chair


Colleen M. Faddick

Practice Area Vice Chair


Alan K. Parver

Practice Area Vice Chair


Lisa J. Acevedo
Janice A. Anderson
Douglas K. Anning
Joi-Lee K. Beachler
Jack M. Beal
Margaret "Peggy" Binzer
Mary Beth Blake
Mary Clare Bonaccorsi
Gerald W. Brenneman
Teresa A. Brooks
Jared O. Brooner
Ana I. Christian
Anika D. Clifton
Anne M. Cooper
Lauren P. DeSantis-Then
S. Jay Dobbs
Thomas M. Donohoe
Cavan K. Doyle
Meredith A. Duncan
Erin Fleming Dunlap
Fredric J. Entin
Jennifer L. Evans
T. Jeffrey Fitzgerald
Michael T. Flood
Kara M. Friedman
Rebecca L. Frigy
Asher D. Funk
Randy S. Gerber
Mark H. Goran
Linas J. Grikis
Lauren Z. Groebe
Brett B. Heger
Jonathan K. Henderson
Margaret H. Hillman
Julius W. Hobson
Jay M. Howard
Cullin B. Hughes
Sara V. Iams
George Jackson, III
Samuel H. Jeter
Bruce A. Johnson
Lindsay R. Kessler
Joan B. Killgore
Anne L. Kleindienst
Chad K. Knight
Sarah R. Kocher
Dana M. Lach
Robert L. Layton
Jason T. Lundy
Ryan M. McAteer
Jane K. McCahill
Ann C. McCullough
Matthew Melfi
Ryan J. Mize
Aileen T. Murphy
Hannah L. Neshek
Gerald A. Niederman
Edward F. Novak
Thomas P. O'Donnell
Aaron E. Perry
Mitchell D. Raup
Daniel S. Reinberg
Kristen B. Rosati
Donna J. Ruzicka
Charles P. Sheets
Harry Sporidis
Kathryn M. Stalmack
Leah Mendelsohn Stone
Chad C. Stout
Steven K. Stranne
William E. Swart
Tennille A. Syrstad
Emily C. Tremmel
Andrew B. Turk
Joseph T. Van Leer
Andrew J. Voss
Joshua M. Weaver
Emily Wey
Mark R. Woodbury
Janet E. Zeigler


To learn more about our Health Care practice, or to contact one of our Health Care attorneys, click here.


View Polsinelli documents on JD Supra  
LinkedIn Twitter Facebook Inside Law Podcast Connect with us on LinkedIn. Connection with us on Twitter. Connect with us on Facebook.



Nearly one year after a Massachusetts provider paid $1.5 million to settle potential HIPAA violations for the theft of an unencrypted laptop containing protected health information (PHI), providers are reminded once again of how severe the consequences of a HIPAA breach can be. On August 14, 2013 the Department of Health and Human Services (HHS) announced that it entered into a $1,215,780 settlement agreement with Affinity Health Plan, Inc. for potential HIPAA violations involving the breach of unsecured PHI stored in multiple photocopiers.

As required by the HITECH Breach Notification Rule, Affinity filed a report with the HHS Office for Civil Rights (OCR) after learning that photocopiers previously leased by Affinity still had PHI on the hard drives when Affinity returned them to the leasing agent. It is estimated that as many as 344,579 individuals were affected by Affinity's failure to erase data contained on the hard drives. After investigating the incident, the OCR determined that the impermissible disclosure of PHI was not Affinity's only wrongdoing. Affinity also breached the HIPAA Security Rule when it failed to implement policies and procedures for returning the photocopiers and failed to incorporate PHI stored on the photocopiers in its analysis of security risks and vulnerabilities.

In addition to the settlement payment, Affinity entered into a Corrective Action Plan with the OCR that requires Affinity to: 1) use its best efforts to retrieve all photocopiers previously leased from the leasing agent and safeguard the PHI; and 2) conduct a comprehensive analysis of the security risks and vulnerabilities of all electronic equipment and systems used and develop a plan to mitigate any risks.

Additional Resources

In November 2010, the Federal Trade Commission (FTC) issued guidance on safeguarding data stored in the hard drives of photocopiers. The guidance can be found here.

What Providers Should Know

  • PHI is not just stored in computers and laptops—photocopiers, fax machines, tablets, cell phones and other electronic devices have storage capabilities, making them susceptible to security breaches. Providers need to identify and evaluate the risks presented by these data storage media as part of a sound risk analysis.
  • Both covered entities and business associates should have appropriate safeguards in place to protect PHI across any and all types of electronic devices.
  • Covered entities and business associates that utilize leased electronic devices and systems should conduct a risk analysis and set forth policies and procedures to properly erase PHI from the devices before returning them to the leasing agent. This also applies to those that own electronic devices and are looking to recycle, sell, or dispose of them.

For More Information

For more information on the contents of this e-Alert, please contact:



Chattanooga  Chicago  Dallas  Denver  Edwardsville  Jefferson City  Kansas City  Los Angeles  New York  Overland Park
Phoenix  St. Joseph  St. Louis  Springfield  Topeka  Washington, D.C.  Wilmington



Real Challenges. Real Answers.SM  Serving corporations, institutions, entrepreneurs, and individuals, our attorneys build enduring relationships by providing legal counsel informed by business insight to help clients achieve their objectives. This commitment to understanding our clients' businesses has helped us become the fastest growing law firm in the U.S. for the past five years, according to the leading legal business and law firm publication, The American Lawyer. Our more than 680 attorneys in 17 cities work with clients nationally to address the challenges of their roles in health care, financial services, real estate, life sciences and technology, energy and business litigation. The firm can be found online at Polsinelli PC. In California, Polsinelli LLP.


To update your email preferences, please contact Kim Auther at To opt out of these communications, click the unsubscribe link below.

Polsinelli provides this material for informational purposes only. The material provided herein is general and is not intended to be legal advice. The choice of a lawyer is an important decision and should not be based solely upon advertisements.

Copyright © 2013 Polsinelli PC.

Connect with us on LinkedIn. Connection with us on Twitter. Connect with us on Facebook.