HIPAA Best Practices for Photocopiers, Printers, and Fax Machines

Physicians and health care providers are more aware of data breach risks from their photocopier, printer, and fax machine after a covered entity was fined more than $1.2 million in 2013 for returning leased copiers that contained protected health information on the hard drives. Here are three best practices to consider when creating your HIPAA policy and procedures for photocopiers, printers, and fax machines.

  1. Locate office machines in well-supervised areas and away from plain view.

Any document that is printed, faxed, copied, or scanned on your office machines likely includes protected health information. Use good judgement to decide where to place these machines in your office. Is someone always close by so that it is difficult for unauthorized person(s) to view or access the printed information? Review the location of equipment with your staff and their responsibility to monitor access to your office machines.

  1. Document your policy and procedure for protecting data stored on office machine hard drives.

Almost every modern photocopier, printer, and fax machine has a hard drive that stores document images that may contain protected health information. Consider your options for protecting the data stored on the hard drive such as data removal techniques. Your office equipment may come with the ability to perform a data wipe of the drive that meets federal standards for removal. Document your policy and procedure to protect the information stored on the hard drive before a machine is removed for offsite repair, replaced, or returned to a leasing company. 

  1. Review your policy with any third-party who owns or maintains your equipment.

Review your policy and procedure for protecting health information that may be stored on a photocopier, printer, or fax machine hard drive with the company that owns or maintains your equipment. When a machine needs to be repaired, returned, or replaced, make sure you document the procedure performed to protect the data, such as removal of the data from the hard drive or destruction of the hard drive.

Visit the TMA HIPAA Resource Center to find tools, information, education, and consulting to help become HIPAA security-compliant. 

Published July 10, 2015

TMA Practice E-Tips main page

Last Updated On

May 30, 2019

Related Content