Don’t let this happen to you!
Under a settlement with the U.S. Department of Health and Human Services (HHS), Affinity Health Plan had to pay more than $1.2 million dollars for a breach of protected health information (PHI). The PHI was stored on the hard drives of photocopiers Affinity turned back over to leasing agents. CBS Evening News bought one of the photocopiers containing confidential medical information, and informed Affinity.
Affinity filed a breach report with the HHS Office for Civil Rights, as required by the Health Information Technology for Economic and Clinical Health (HITECH) Act, estimating that up to 344,579 people may have been affected. The HHS investigation revealed that Affinity had failed to include photocopiers in its HIPAA-required risk analysis or in its policies and procedures.
If you have a digital copier in your office, remember that it’s a computer with a hard drive and storage media. As with any computer, simply deleting files doesn’t make them go away. Instead, deleting frees up storage space by allowing the computer to overwrite those files with new data. Until they are overwritten, the files are retrievable.
Federal Trade Commission guidelines recommend:
- Add photocopier management to your HIPAA security policies before you acquire a copier.
- When you buy or lease one, evaluate your options for securing data on the device. For example, some copiers offer encryption that scrambles data or a feature that lets you overwrite data after every job run.
- When you use the copier, take advantage of all its security features. If the copier is connected to a network, make sure it is securely integrated.
- When you are ready to sell or return the copier, check with the manufacturer, dealer, or servicing company for options on securing the hard drive.
For more information, see the HHS Health Information Policy webpage. The National Institute of Standards and Technology has a paper that gives hard copy storage sanitization instructions (see Table A-1) for many types of office machines and devices, including photocopiers, and even smartphones.
Visit the TMA HIPAA Resource Center to find tools, information, education, and consulting to help become HIPAA security-compliant. The Online HIPAA Security Manager is available to TMA members at a member discount starting at $99 per month. The tool offers HIPAA risk analysis, access to HIPAA experts who identify deficiencies and make recommendations, a dashboard to see risks to security and compliance, automatic documentation of HIPAA activities, online training, and more.
If you have questions, contact the TMA Knowledge Center at (800) 880-7955 or firstname.lastname@example.org.
Revised July 6, 2015
TMA Practice E-Tips main page