HEALTH PLAN PAYS FOR FAILING TO ERASE DATA ON LEASED EQUIPMENT: TWO TAKEAWAYS FOR COMPANIES HANDLING ELECTRONIC PHI

The Office for Civil Rights (OCR) has announced a settlement between the US Department of Health and Human Services and Affinity Health Plan, Inc. to address potential violations of the Health Insurance Portability and Accountability Act of 1996. Affinity, a not-for-profit managed care plan serving the New York metropolitan area, paid more than US$1.2 million as part of the settlement, even though it was not clear that any protected health information (PHI) was actually misused or retained as a result of the breach. In addition to the settlement payment, Affinity will be required to comply with a corrective action plan instituted by OCR.