Wagner Header

The Wagner Law Group Description 

The Wagner Law Group, A Professional Corporation, is a nationally recognized ERISA & employee benefits, estate planning, employment, labor & human resources practice. 


Established in 1996, The Wagner Law Group has 23 attorneys engaged exclusively in employee benefits, estate planning and employment law. Seven of our attorneys are AV rated by Martindale-Hubbell as having very high to preeminent legal abilities and ethical standards. The firm is among the largest ERISA boutiques in the country. Our practice is national in scope, with clients in more than 40 states and several foreign countries.



Contact Info

The Wagner Law Group


  Integrity | Excellence


Massachusetts Office 

Tel: (617) 357-5200 

Fax: (617) 357-5250 

99 Summer Street 

13th Floor

Boston, MA 02110

Florida Office 

Tel: (561) 293-3590
Fax: (561) 293-3591
7108 Fairway Drive
Suite 125
Palm Beach Gardens, FL 33418


San Francisco Office

Tel: (415) 625-0002

Fax: (415) 358-8300

315 Montgomery Street

Suite 904

San Francisco, CA 94104





August 22, 2013 

 State and Federal Law Alert



HIPAA Covered Entity pays $1.2 Million to HHS to Settle Photocopier Security Breach 



HHS's Office of Civil Rights ("OCR") recently entered into a Resolution Agreement with a not-for-profit managed care plan to settle potential violations of the Health Insurance Portability and Accountability Act ("HIPAA") Privacy and Security Rules. The plan, which is a "Covered Entity" under HIPAA, has agreed to pay HHS $1.2 million and complete a Correction Action Plan to settle the matter.


The plan's alleged violations involved the impermissible disclosure of electronic Protected Health Information ("ePHI") stored on the hard drives of photocopiers it had leased. CBS News subsequently purchased one of the photocopiers leased by the plan and proceeded to produce an investigatory report that exposed certain ePHI found on the photocopier's hard drives. The plan estimated that this breach may have affected over 344,000 individuals.


As required by HIPAA's Breach Notification Rule, the plan submitted a breach report to OCR. OCR's subsequent investigation of the breach uncovered that the plan neglected to comply with certain HIPAA Security Rule requirements. In particular, the plan failed to:

  • properly erase the photocopier hard drives before returning them to the leasing agents;
  • incorporate the ePHI stored on photocopier hard drives in its analysis of risks and vulnerabilities, as required by the Security Rule; and
  • implement its own policies and procedures for disposing of ePHI.

Under the Resolution Agreement, the plan has agreed to pay HHS $1.2 million and take the remedial actions specified in the Corrective Action Plan. Specifically, the Corrective Action Plan requires the plan to:

  • use (and document) its best efforts to retrieve all photocopier hard drives previously leased and safeguard all ePHI contained therein;
  • conduct a comprehensive risk analysis of all hardware it controlled, owned or leased and develop a plan to mitigate any risks that are discovered in the risk analysis, including modifying its policies and procedures for safeguarding ePHI; and
  • forward its policies and procedures for safeguarding ePHI to OCR and incorporate any of OCR's recommended changes.

To prevent breaches of ePHI with respect to hardware designed to retain electronic information, Covered Entities are advised to ensure that all ePHI is wiped clean from such hardware before it is disposed of, recycled or returned to leasing agents. By taking this action step, Covered Entities can avoid costly HIPAA enforcement actions.


The HHS Resolution Agreement can be viewed at: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/affinity-agreement.html.




This Newsletter is protected by copyright. Material appearing herein may be reproduced with appropriate credit.


Pursuant to Internal Revenue Service Circular 230, we hereby inform you that any advice set forth herein with respect to US federal tax issues is not intended or written by The Wagner Law Group to be used and cannot be used, by you or any taxpayer, for the purpose of avoiding penalties that may be imposed on you or any other person under the Internal Revenue Code.


This Newsletter is provided for information purposes by The Wagner Law Group to clients and others who may be interested in the subject matter, and may not be relied upon as specific legal advice.  This material is not to be construed as legal advice or legal opinions on specific facts. Under the Rules of the Supreme Judicial Court of Massachusetts, this material may be considered advertising.