As is often the case, health care regulations and tech law overlap.
Consider the unfortunate case of Affinity Health Plan, Inc., a not for profit managed care plan company in New York. Affinity leased some copiers. When the lease ran out on the copiers, Affinity let the copiers go back to the lessor. The lessor stored the copiers in a warehouse in New Jersey. As you may or may not know, digital copiers have a hard drive, much like the one in your laptop. The copier makes a copy (hence the name) on its hard drive of each document run through the copier. These copies on the hard drive remain until overwritten by other copies or until erased. Most copiers don't have a readily available function that wipes the drive.
Now, Affinity either didn't know (probably) or didn't care about the copies on the hard drive and didn't take any action to delete them before turning them back to the lessor. So, Affinity was either sloppy, negligent or uniformed, doesn't really matter. What they were also, was really unlucky.
Consider this further, there is a company called Digital Copier Security that is owned by a Mr. Juntunen. Digital Copier Security markets a product to erase information from copier hard drives. Mr. Juntunen of Sacramento and CBS News of New York somehow got together and decided to do a story on information left on copiers. You can make your own assumptions as to how they got together and who profits from the arrangement. Mr. Juntunen and CBS News went to a warehouse in New Jersey and purchased four copiers picked out by Mr. Juntunen. Affinity's copier was one of the copiers selected. When Mr. Juntunen removed the hard drive from the Affinity copier and printed out the images left there, several hundred pages of medical records were revealed. CBS News notified Affinity about this and returned the hard drives to Affinity.
If this copier hadn't been chosen, it is unlikely that anyone would ever have known about this and probably no records would have been revealed to anyone. However, saddled with this unfortunate and unwelcome information, Affinity was required, under HIPAA/HITECH regulations, to file a breach report. Affinity's breach report estimated that almost 350,000 people may have been affected by this breach. A couple of weeks ago, Affinity settled with Health and Human Services. The settlement required Affinity to pay a fine of $1,215,780, use best efforts to recover the hard drives from all other copiers they had similarly leased and discarded and to take certain other measures to safeguard all electronic protected health information.
To be fair, the other three copiers purchased by CBS all had sensitive information on them. One was from the Buffalo, N.Y. Police Sex Crimes Division and it had detailed information on domestic violence complaints and a list of wanted sex offenders. Another machine from the Buffalo Police Department had a list of targets in a major drug raid. The other machine was from a construction company and had a number of pay records along with social security numbers.
However, Affinity was the only one that was regulated by HIPAA. Most unfortunate.
Thus, lessons learned: Things that have digital storage devices, e.g. computers, copiers, fax machines, cameras, smart phones, etc. should be covered in a comprehensive policy that requires their storage to be scrubbed before disposal. You do not want to be unlucky too.