Leasing office equipment can provide businesses with many benefits, such as flexibility, favorable tax treatment, and access to the latest technology. However, leasing can also present an unexpected source of liability for entities covered by the HIPAA Privacy and Security Rules. A recent $1.2 million settlement between the U.S. Department of Health and Human Services (HHS) and a New York non-profit managed care plan highlights the importance of conducting a thorough review of the security risks and vulnerabilities of electronic equipment and systems.

A television network purchased a photocopier that had been previously leased by Affinity Health Plan. The network notified Affinity that the copier’s hard drive contained protected health information (PHI), which was apparently not deleted when Affinity returned the copier to its leasing agent. As required under the HITECH Breach Notification Rule, Affinity filed a breach report with the HHS Office of Civil Rights (OCR) and estimated that almost 350,000 individuals may have been affected by the breach.

As detailed in the August 7, 2013 Resolution Agreement, the OCR’s investigation found that Affinity impermissibly disclosed PHI by failing to erase the hard drives when the health plan returned multiple leased copiers. It also found that Affinity’s security analysis failed to take into account the information on the hard drives and that Affinity neglected to implement policies and procedures to prevent the disclosure of PHI when returning the leased copiers. Although the settlement was not an admission of liability, Affinity agreed to pay HHS $1,215,780 and implement a corrective action plan, which in part required Affinity to use its “best efforts” to locate all the hard drives in the leased copiers it returned and safeguard the PHI on the hard drives.

Equipment that is designed to retain electronic information presents special challenges when it comes to HIPAA compliance. It is readily apparent that laptop computers, smart phones, and flash drives are all devices that can store PHI, but it is probably much less obvious that a copier falls in the same category. This settlement provides an additional 1.2 million reasons to motivate a covered entity to perform a thorough security analysis to identify the risks of impermissible disclosures of PHI and to implement and follow appropriate policies, such as encryption or deletion, to protect against such disclosures. In light of the ever-increasing role that computer technology plays in their daily operations, covered entities need to be increasingly vigilant to ensure that protected health information is not unwittingly released.