The Department of Health and Human Services considers copiers, printers and fax machines to be workstations that are required to be secured and maintained according to standards outlined by the Health Insurance Portability and Accessibility Act, or HIPAA. Unfortunately, these devices can present some of the biggest unknown threats to the practice.  Either security officers do not take these devices into consideration when the devise their HIPAA security policies or they miss out on critical aspects of security regarding these devices.

Perhaps the most infamous evidence of that is the case of Affinity Health Plan. In 2010, Affinity failed to erase protected health information (PHI) from hard drives contained in leased copiers, before returning the copiers to the leasing company. As a result, more than 33,000 records were exposed, costing Affinity 1.2 million dollars in their settlement with the Department of Health and Human Services (DHHS). Affinity is likely far from alone in making this mistake. Many users do not realize these devices have hard drives and store copies of document images in the first place.

So how do you make copiers and printers HIPAA compliant? As with other practice areas, it’s all about understanding the risks presented and mitigating those risks. While not an exhaustive list, below are some important considerations for ensuring your device is HIPAA compliant.

Secure Physical Access
The location of fax machines, copiers and printers is a critical consideration. Devices need to be in a location where they are only accessible to staff members authorized to access protected health information. Further, when the devices are used to print, scan, copy or fax PHI, these documents must not be left unattended on the devices.

Hard Drive Removal
MFPs and other devices often have a hard drive that stores images of documents that are faxed, scanned, copied or printed. Prior to the machine being returned to the leasing agent, this hard drive should be removed or the data destroyed. If you’re leasing your MFP, printer, scanner, copier or fax machine, ensure that you remove the hard drive and do not return the device with PHI still contained on the drive.

User Authentication and Audits
Workstations should be always be password protected to prevent unauthorized access to protected health information. As we previously discussed, all users should have unique user credentials for the devices they are authorized to use. Administrators should implement authentication verification and monitoring as well as audit capabilities to ensure only authorized persons are accessing the devices. As with other workstations, there should be a function for automatic log-off as an added safety feature.

Data Encryption and Removal
PHI data stored on MFPs, copiers, faxes, scanners or printers hard drives need to be encrypted using Secure Socket Layer (SSL) encryption. The network on which data is transmitted also needs to be secured through data encryption.  If possible it is also good to safeguard the data by periodically overwriting the hard drive to minimize potential unauthorized access if the hard drive falls into the wrong hands. Along with the hard drive, copier memory also needs to be deleted.